License Agreement for The IIA’s CIA® Challenge Exam Study Guide

STUDENT MATERIALS

By opening and using The IIA’s CIA® Challenge Exam Study Guide student materials (the “Materials”), the user (“User”)
hereby agrees as follows:

(i) That The Institute of Internal Auditors is the exclusive copyright owner of the Materials.

(ii) Provided that the required fee for use of the Materials by User has been paid to The IIA or its agent, User has
the right, by this License, to use the Materials solely for his/her own educational use.

(iii) User has no right to print or make any copies, in any media, of the materials, or to sell, or sublicense, loan, or
otherwise convey or distribute these materials or any copies thereof in any media.
The IIA’s CIA® Challenge Exam Study Guide
The IIA’s CIA® Challenge Exam Study Guide is based on select portions of the Certified Internal Auditor® (CIA®) syllabus
developed by The IIA. However, program developers do not have access to the exam questions. Therefore, while the
study guide is a good tool for study, reading the text does not guarantee a passing score on the CIA exam.

Every effort has been made to ensure that all information is current and correct. However, laws and regulations change,
and these materials are not intended to offer legal or professional services or advice. This material is consistent with the
revised Standards of the International Professional Practices Framework (IPPF) introduced in July 2015, effective in 2017.

Copyright
These materials are copyrighted; it is unlawful to copy all or any portion. Sharing your materials with someone else will
limit the program’s usefulness. The IIA invests significant resources to create quality professional opportunities for its
members. Please do not violate the copyright.

Acknowledgments
The IIA would like to thank the following dedicated subject matter experts who shared their time, experience, and insights
during development and subsequent updates.

Subject matter experts

Farah George Araj, CPA, CIA, CFE, Jayson Walter Kwasnik, CIA, CPA,
QIAL, Australia CA, Canada
Scott Blankenship, CIA, CRMA, CPA, Jessica Minshew, CIA, United States
CFE, United States Joanne F. Prakapas, CIA, CRMA,
Melissa Clawson, CIA, CRMA, United CFE, CPA, CFF, United States
States James M. Reinhard, CIA, United
Christy Decker-Weber, CIA, CRMA, States
CPA, CFE, CHIAP Elizabeth Sandwith, CFIIA, United
Kingdom

Past subject matter experts

Pat Adams, CIA Al Marcella, PhD, CISA, CCSA
Terry Bingham, CIA, CISA, CCSA Markus Mayer, CIA
Raven Catlin, CIA, CPA, CFSA Vicki A. McIntyre, CIA, CFSA, CRMA,
Patrick Copeland, CIA, CRMA, CISA, CPA
CPA Gary Mitten, CIA, CCSA
Don Espersen, CIA Lynn Morley, CIA, CGA
Michael J. Fucilli, CIA, QIAL, CRMA, Lyndon Remias, CIA
CGAP, CFE James Roth, PhD, CIA, CCSA
James D. Hallinan, CIA, CPA, CFSA, Brad Schwieger, CPA, DBA
CBA
Doug Ziegenfuss, PhD, CIA, CCSA,
Larry Hubbard, CIA, CCSA, CPA, CPA, CMA, CFE, CISA, CGFM,
CISA CR.FA., CIT
Jim Key, CIA
David Mancina, CIA, CPA
 Part 1: Essentials of Internal Auditing

Internal auditing is a discipline that works on behalf of management, the board of directors, and other stakeholders of
public and private entities to improve and add value to governance, risk management, and control procedures.

Part 1 of The IIA’s CIA Challenge Exam Study Guide looks at a number of the essentials of internal auditing.

Section A covers the foundations of internal auditing—The IIA’s International Professional Practices Framework; the
purpose, authority, and responsibility of the internal audit activity; the requirements of the audit charter; and the
difference between assurance and consulting services.

Section B looks at the concepts of independence and objectivity.

Section C looks at the concepts of proficiency and due professional care.

Section D describes aspects of a quality assurance and improvement program.

Section E covers organizational governance and risk, and it looks at risk management within an audit activity charter.

Section F focuses on fraud risks—the types of these risks and controls to prevent and detect fraud.
Section A: Foundations of Internal Auditing
This section is designed to help you:
Identify and apply relevant ethical, practical, and legal standards to the audit practice, including The Institute of
Internal Auditors’ (The IIA’s) Code of Ethics, International Standards, and Practice Advisories and relevant laws.
Explain the International Professional Practices Framework categories of guidance.
Explain the Mission of Internal Audit.
Describe the Core Principles for the Professional Practice of Internal Auditing.
Define internal auditing.
Describe compliance with The IIA’s Code of Ethics.
Explain how the purpose, authority, and responsibility for an internal audit activity are documented, communicated,
and approved.
Understand the importance of securing the board’s approval of the internal audit activity charter and audit plan.

According to The IIA

The IIA’s guidance referenced in the Challenge Exam Study Guide may be accessed using the links below. Access to
specific pages and documents varies for the public and The IIA members.
Attribute Standards: www.theiia.org/Attribute-standards
Performance Standards: www.theiia.org/Performance-standards
Standards and Guidance: www.theiia.org/Guidance
Position Papers: www.theiia.org/Position-papers
Implementation Guidance: www.theiia.org/Practiceadvisories
Practice Guides and GTAGs: www.theiia.org/Practiceguides

Topic 1: Mission, Definition, and Core Principles

This topic discusses The IIA’s Mission of Internal Audit, Definition of Internal Auditing, and Core Principles for the
Professional Practice of Internal Auditing and the purpose, authority, and responsibility of the internal audit activity.

According to The IIA

In addition to reviewing the contents of this topic, students can review the following IIA materials:
Implementation Guidance for Standard 1000
Practice Guide, “Demonstrating the Core Principles for the Professional Practice of Internal Auditing”

The Framework
The Institute of Internal Auditors (The IIA) uses the International Professional Practices Framework (IPPF) to organize
its authoritative guidance in a manner that is readily accessible. The IPPF, sometimes called the “Red Book,” is intended
to help practitioners and stakeholders throughout the world respond to the expanding market for high-quality internal
auditing.

The IPPF contains both mandatory and recommended guidance. The Mission of Internal Audit, the Core Principles for the
Professional Practice of Internal Auditing, the Definition of Internal Auditing, the Code of Ethics, and the International
Standards for the Professional Practice of Internal Auditing (the Standards) comprise the mandatory guidance.
Recommended guidance in the IPPF includes Implementation Guidance and Supplemental Guidance. All of the guidance
sources listed above will be discussed throughout this product. The IPPF is shown in Exhibit 1-1.
 Exhibit 1-1: International Professional Practices Framework

Note that recommended guidance is endorsed by The IIA, but it is not required, and the IIA recommends using
independent expert advice for any specific situations that may arise.

Mission of Internal Audit

Exhibit 1-2: Mission of Internal Audit

The Mission of Internal Audit articulates what internal audit aspires to accomplish in an organization. It demonstrates how
practitioners should leverage the entire IPPF to facilitate their ability to achieve the Mission. The placement of the Mission
within the IPPF is shown in Exhibit 1-2.

According to The IIA

Mission of Internal Audit
To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.

Key Point
The Mission of Internal Audit is deliberately placed in the IPPF, demonstrating how practitioners should leverage the
entire framework to facilitate their ability to achieve the Mission.
By requiring that the services provided by internal audit be risk-based and objective, the Mission aligns directly with the
expectations of stakeholders. Each requirement serves a different function. The risk basis supports the goal to protect
organizational value, and objectivity is one of the main strategic success enablers of the internal audit activity.

The Mission makes it clear that internal audit must be focused on increasing the organization’s value and that there are
three general types of risk-based and objective activities through which internal audit increases and protects this value:
Assurance
Advice
Insight

Assurance work makes up the majority of internal audit activities. It is designed to communicate to the main stakeholders
that management:
Has deployed appropriate activities to achieve its objectives.
Is appropriately managing the risks to those objectives.
Has agreed to implement required additional risk mitigation and improvement measures.

Advice can be provided through advisory engagements, which are often referred to as consulting engagements. These are
designed to provide advice and insight to the organization in a proactive, customer-driven approach.

Insight can be provided in a variety of formats, which may include but are not limited to:
Assurance engagement reports.
Advisory engagement reports.
Participation on committees and task forces.
Personal meetings.
Board reporting.
Progress reporting.

Core Principles
Exhibit 1-3: Core Principles for the Professional Practice of Internal Auditing

The Principles set out the basic elements that describe internal audit effectiveness with respect to the aspirations
expressed in the Mission of Internal Audit. They serve as fundamental propositions that form the basis for the Code of
Ethics and the Standards. The placement of the Core Principles within the IPPF is shown in Exhibit 1-3.
According to The IIA
Core Principles for the Professional Practice of Internal Auditing
Demonstrates integrity.
Demonstrates competence and due professional care.
Is objective and free from undue influence (independent).
Aligns with the strategies, objectives, and risks of the organization.
Is appropriately positioned and adequately resourced.
Demonstrates quality and continuous improvement.
Communicates effectively.
Provides risk-based assurance.
Is insightful, proactive, and future-focused.
Promotes organizational improvement.

Each Principle may apply to the individual auditor, the audit activity, or both. Though internal audit activities may
demonstrate achievement of principles in various ways, each of the Principles must be present and successfully operating
for the audit activity to be considered effective. Failure to achieve any one of the Principles suggests that the activity is not
as effective as it could be.

Consequences of Not Demonstrating Core Principles

The consequences that may result from not demonstrating the Core Principles help reinforce the importance of each
Principle. For each Principle listed below, an example is given describing a potential negative consequence.

Demonstrates integrity. The internal audit activity may lose the trust placed in it and consequently its credibility to
provide independent and objective assurance and advice.

Demonstrates competence and due professional care. Internal audit risk assessments, the activity’s plan of
engagements, and the scope and objectives of engagements may not be sufficient, accurate, or complete.

Is objective and free from undue influence (independent). Management and the board are unlikely to trust internal
audit observations as accurate and complete.

Aligns with the strategies, objectives, and risks of the organization. The internal audit activity risks wasting
resources on assessing areas, processes, or issues that do not help the organization manage its key risks and achieve
its objectives.

Is appropriately positioned and adequately resourced. The results and conclusions of internal audit work may not
be treated with sufficient importance to prompt action from management, and independent reporting may be difficult.

Demonstrates quality and continuous improvement. Errors may occur in internal audit work, or there may be a
perception that the work is not reliable. The internal audit activity may fail to keep up with innovations in technology,
methodology, and audit techniques.

Communicates effectively. The internal audit activity may be unable to obtain the position, resources, and
information it needs to conduct engagements and to effectively express its results, conclusions, and opinions to
management and the board.

Provides risk-based assurance. Management and the board will not have independent validation that its controls are
designed properly and are working as expected to mitigate risks.

Is insightful, proactive, and future-focused. The internal audit activity is likely to miss emerging risks, and the value
it adds will be limited.
 Promotes organizational improvement. The value that internal audit adds may be limited, as it may miss
opportunities to recommend ways the organization could increase efficiency.

Definition of Internal Auditing

Exhibit 1-4: Definition of Internal Auditing

The Definition of Internal Auditing is mandatory guidance from the IIA and is key to understanding the role and depth of
internal auditing. The placement of the Definition within the IPPF is shown in Exhibit 1-4.

According to The IIA

Definition of Internal Auditing
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve
an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

The strategic focus of internal audit is clearly aligned with the expectations of key organizational stakeholders. The
Definition of Internal Auditing focuses the image of internal auditing in six significant ways.

It describes internal auditing as an independent, objective activity. Independence refers to a structure that allows for
the audit activity’s freedom to determine audit or assurance scope, to perform the work judged necessary to achieve
engagement objectives, and to communicate the results. Objectivity refers to the personal ability to be non-biased,
which allows auditors to be responsive to their customers and to add value through their objective analyses and
recommendations for improvement.

The definition explicitly recognizes the consulting role of internal audit in providing advice to the organization, in
addition to assurance activities. This conveys a proactive, customer-driven approach where internal audit plays a role
in organizational governance, risk management, and control activities.

By stating that internal auditing is designed to “add value and improve an organization’s operations,” the definition
articulates the expectation that the internal audit activity will add value to the organization.

By referring to the organization’s objectives, the definition focuses on the whole organization. This requires auditors to
understand the strategic objectives of the organization and the goals and objectives that support it and to view
problems and solutions from a broad perspective.

The definition recognizes internal auditing’s legacy of delivering services with a tried-and-true, systematic, and
 disciplined approach that results from being a standards-based profession.

The definition charges internal auditors with a broad and involved role to play in the organization’s governance and risk
management processes. Underlying the terminology is the understanding that controls exist to help the organization
manage risk and promote effective governance processes.

Internal auditing differs from external auditing, which serves third parties who require reliable financial information based
on reliable supporting records. Drawing further distinctions between internal and external auditors as well as other related
review functions can help clarify what internal auditing is and what it is not. These distinctions are described below:

External auditors/financial auditors. These auditors provide an attestation solely based on the financial reports and
statements generated by an organization. The work of external and financial auditors is historical in nature and is
critical to allowing investors and other third parties to make informed decisions (e.g., investing, approving debt
issuance) about an organization based on its financial statements when taken as a whole.

Compliance. Compliance reviews typically serve to determine whether or not an organization is adhering to a
specified law, regulation, standard, policy, or procedure, and the results are reported as such.

Regulators. These auditors work for regulating bodies that review compliance with specific regulations as well as the
overall safety and soundness of the organizations being examined. These auditors perform compliance reviews of
corporations or agencies that are regulated by the specified regulating body.

Government auditors. Government auditors typically work for departments, ministries, or agencies of a government
and provide assurance regarding program requirements, performance audits, budget reviews, and management
audits.

The Standards
Exhibit 1-5: Standards

The Standards are a set of principles-based, mandatory requirements consisting of:

Statements of core requirements for the professional practice of internal auditing and the evaluation of performance
effectiveness that are internationally applicable at organizational and individual levels.
Interpretations that clarify terms or concepts within the Standards.

The placement of the Standards within the IPPF is shown in Exhibit 1-5.

The Standards comprise two main categories:

 Attribute Standards address the attributes of organizations and individuals performing internal auditing.
Performance Standards describe the nature of internal auditing and provide quality criteria against which the
performance of these services can be measured.

Attribute and Performance Standards apply to all internal audit services.

Implementation Standards expand upon existing Attribute and Performance Standards by providing the requirements
specifically applicable to assurance (.A) or consulting (.C) services. These requirements are discussed as applicable
throughout the text.

Many of the Standards use the words “must” or “should.” These terms have specific meaning within the IPPF. The word
“must” specifies an unconditional requirement; the word “should” is used where conformance is expected unless, when
applying professional judgment, circumstances justify deviation.

Purpose, Authority, and Responsibility

According to The IIA

Attribute Standard 1000, “Purpose, Authority, and Responsibility”
The purpose, authority, and responsibility of the internal audit activity must be formally defined in an internal audit
charter, consistent with the Mission of Internal Audit and the mandatory elements of the International Professional
Practices Framework (the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the
Standards, and the Definition of Internal Auditing). The chief audit executive must periodically review the internal audit
charter and present it to senior management and the board for approval.

Standard 1000 requires that the purpose, authority, and responsibility of the internal audit activity be clearly defined and
approved by senior management and the board. Creating an understanding of the purpose, authority, and responsibility
allows the internal audit activity to best support overall organizational goals and objectives and to strengthen internal
controls and corporate governance. Exhibit 1-6 reviews the key elements characterizing internal audit activity purpose,
authority, and responsibility.

Exhibit 1-6: Purpose, Authority, and Responsibility Characteristics for Internal Audit
Activity

Purpose, Authority, and Responsibility Characteristics for Internal Audit Activity

Purpose Provide risk-based and objective assurance, advice, and insight.

Support organizational objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of governance,
risk management, and control processes.
Determine if organizational governance, risk management, and control
processes are in place and functioning properly.
Communicate any opportunities for improvement or risk exposures to
the appropriate management level (and the board/audit committee as
appropriate).
Add value and improve an organization’s operations.
Authority Provide appropriate unfettered access to records, personnel, and
physical properties.
Maintain full and open access with the audit committee, board of
directors, or other appropriate governing authority.
Secure necessary internal and external resources to accomplish audit
activity objectives as planned.
Responsibility Document the objectives and scope of the engagement as well as the
methodology to be used.
Ensure that internal audit activity staff have sufficient knowledge,
skills, experience, and/or professional certifications to fulfill the
 engagement charter.
Communicate the results of the internal audit activity or other matters
that the chief audit executive determines necessary to senior
management, the audit committee, the board, or other governing body
of the organization.
Consider the coordination of internal and external audit work to
increase economy, efficiency, and effectiveness of the overall audit
process.
Do not perform management activities.

Standard 1000 introduces several concepts that are crucial to understand when following the mandatory and
recommended guidance contained within the IPPF.

The internal audit charter is a critical document that records the agreed-upon purpose, authority, independence and
objectivity, reporting structure, and responsibility of an organization’s internal audit activity. It establishes the internal
audit activity’s position within the organization; authorizes access to records, personnel, and physical properties; and
defines the scope of internal audit activities.

The chief audit executive (CAE) is defined in the IPPF glossary as “a person in a senior position responsible for
effectively managing the internal audit activity....” This person is charged with the creation of the internal audit charter
and with the task of reviewing and presenting the audit charter for board approval periodically. The specific job title
and/or responsibilities of the CAE may vary across organizations, and the position may be outsourced as well. For
example, in organizations with smaller audit activities, the CAE may also be responsible for conducting engagements.
It should be understood that the duties of the CAE are the duties of the internal audit activity as a whole, with these
duties typically being managed by the CAE. The CAE should report to the board, which helps maintain internal audit
independence.

The board is defined in the IPPF glossary as “the highest level governing body (e.g., a board of directors, a
supervisory board, or a board of governors or trustees) charged with the responsibility to direct and/or oversee the
organization’s activities and hold senior management accountable.” It may refer to an audit committee, which is a
subset of the broader board to oversee certain functions (e.g., internal audit, external auditors, financial concerns). If a
board or audit committee does not exist, the term may refer to the head of an organization.

Topic 2: Internal Audit Charter Requirements

This topic discusses the required information, approval requirements, and typical components of an internal audit charter.

According to The IIA

In addition to reviewing the contents of this topic, students can review the following IIA materials:
IIA Model Charter
Implementation Guidance for Standards 1000 and 1010

Audit Charter and Approval

The internal audit charter provides a recognized statement of the purpose, authority, and responsibility of internal audit for
review and acceptance by management and for approval by the board. If a question should arise, the internal audit charter
provides a formal, written agreement with management and the board.

Before writing or revising the internal audit charter, the CAE typically reviews the IPPF to refresh his or her understanding
of the Mission of Internal Audit and the elements that must be included in the charter, which are governed by Standard
1010.
According to The IIA
Attribute Standard 1010, “Recognizing Mandatory Guidance in the Internal Audit Charter”
The mandatory nature of the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the
Standards, and the Definition of Internal Auditing must be recognized in the internal audit charter. The chief audit
executive should discuss the Mission of Internal Audit and the mandatory elements of the International Professional
Practices Framework with senior management and the board.

The CAE is required to review the internal audit charter periodically and present it to senior management and the board for
review. The CAE and the board may agree on the frequency of review and reaffirmation for the charter, sometimes
accomplished by establishing a standing annual agenda item with the board. If questions arise in the interim, the charter
may be referenced and updated as needed.

To recognize the mandatory elements of the IPPF in the internal audit charter, the CAE may make specific statements that
use language from applicable standards, such as Standard 1010, directly. Alternatively, the CAE may use language and
content throughout the internal audit charter that require conformance with Mandatory Guidance.

Key Point
Once the charter is adopted, it is important for the CAE to monitor the IIA’s Mandatory Guidance and discuss any
changes that may be warranted during the next charter review with senior management and the board.

Elements of the Internal Charter

Let’s examine the typical elements of an internal audit charter, using the IIA Model Charter as an example.

The introductory section explains the overall role and professionalism of the internal audit activity. Relevant elements of
the IPPF are often cited in the introduction. In Exhibit 1-7, the Mission of Internal Audit and the Definition of Internal
Auditing are both used to craft the “Purpose and Mission” section. The “Standards for the Professional Practice of Internal
Auditing” section conforms with the requirements of Standard 1010.

Exhibit 1-7: Introduction

The “Authority” section specifies the internal audit activity’s full access to the records, physical property, and personnel
required to perform engagements. In the Model Charter, this section also covers the organization and reporting structure,
as seen in Exhibit 1-8. Some charters may use a separate section for the organization and reporting structure, which may
also delve into specific functional responsibilities.
 Exhibit 1-8: Authority

The “Independence and Objectivity” section of the charter describes the importance of internal audit independence and
objectivity and how these will be maintained, as seen in Exhibit 1-9.

Exhibit 1-9: Independence and Objectivity

The “Responsibilities” section of the charter lays out major areas of ongoing responsibility. As seen in Exhibit 1-10, the
scope of engagements may be listed separately from other areas of ongoing responsibility.
 Exhibit 1-10: Responsibilities

The “Quality Assurance and Improvement Program” section, shown in Exhibit 1-11, describes the expectations for
developing, maintaining, evaluating, and communicating the results of a quality assurance and improvement program.
 Exhibit 1-11: Quality Assurance and Improvement

Signatures at the end of the charter document agreement among the CAE, a designated board representative, and the
individual to whom the CAE administratively reports. As seen in Exhibit 1-12, the dates and the titles of the signatories are
included in this section.

Exhibit 1-12: Signatures

Topic 3: Assurance versus Consulting

This topic discusses the difference between the assurance and consulting services that are provided by the internal audit
activity.

Assurance and Consulting Services

Internal auditors provide a variety of assurance and consulting (advisory) services.

The IPPF glossary defines assurance services as:

An objective examination of evidence for the purpose of providing an independent assessment on

governance, risk management, and control processes for the organization. Examples may include
financial, performance, compliance, system security, and due diligence engagements.

The glossary defines consulting services as:

Advisory and related client services activities, the nature and scope of which are agreed with the client,
are intended to add value and improve an organization’s governance, risk management, and control
 processes without the internal auditor assuming management responsibility. Examples include counsel,
advice, facilitation, and training.

Assurance and consulting services are referenced in Implementation Standards listed with Attribute Standard 1000 in the
IPPF, seen below.

According to The IIA

Implementation Standard 1000.A1 (Assurance Engagements)
The nature of assurance services provided to the organization must be defined in the internal audit charter. If
assurances are to be provided to parties outside the organization, the nature of these assurances must also be
defined in the internal audit charter.

According to The IIA

Implementation Standard 1000.C1 (Consulting Engagements)
The nature of consulting services must be defined in the internal audit charter.

Let’s look at some key differences between assurance and consulting, and some examples of the different types of
services internal auditors may provide.

Assurance Services
Assurance services involve the internal auditor’s objective assessment of evidence to provide an independent opinion or
conclusion regarding an entity, operation, function, process, system, or other subject matter. Three parties are generally
involved in assurance services:
The person or group directly involved with the entity, operation, function, process, system, or other subject matter—the
client
The person or group making the assessment—the internal auditor
The person or group using the assessment—the user or stakeholder

The nature and the scope of the assurance engagement are determined by the internal auditor.

Assurance services are at the core of internal auditing. While others can provide consulting services, internal audit has the
knowledge of the organization and the independence to provide the board with the information, facts, and conclusions they
need to make appropriate decisions. Assurance work makes up the majority of internal audit activities. Examples of
assurance services may include:
Financial.
Performance.
Compliance.
System security.
Due diligence.
Strategic.

Consulting Services
Consulting services are advisory in nature and are generally performed at the specific request of an engagement client.
They generally involve two parties:
The person or group offering the advice—the internal auditor
The person or group seeking and receiving the advice—the engagement client

The nature and the scope of a formal consulting engagement are subject to agreement with the engagement client. Such
agreements should be formalized in writing.

Consulting services can include any advisory activity that improves the organization’s governance, risk management,
controls, and compliance. The following are examples of different types of consulting services.

Advisory consulting engagements. These engagements are designed to offer advice and might include:
Advising on control design.
Advising during development of policies and procedures.
Participating in an advisory role for high-risk projects.
Advising on certain enterprise risk management activities.
Recommending solutions to key issues or challenges facing the organization.

Training consulting engagements. These engagements are educational in nature and might include:
Training on governance, risk management, and internal control.
Benchmarking internal areas with comparable areas of similar organizations to identify best practices.
Post-mortem analysis—that is, determining lessons learned from a project after it is completed.

Facilitative consulting engagements. These engagements might include:

Facilitating an organization’s risk assessment process.
Facilitating management’s control self-assessment.
Facilitating a task force charged with redesigning controls and procedures for a new or changed area.
Acting as a liaison between management and independent outside auditors, government agencies, vendors, and
contractors on control issues.

Consulting may range from formal engagements, defined by written agreements, to informal activities, such as
participating in standing or temporary management committees or project teams. Internal auditors may be requested to
help in special consulting engagements, such as participation in a merger or acquisition project or in an emergency
engagement. These may require departure from normal or established procedures for conducting consulting
engagements.

The following are common examples of consulting activities:

Business process improvement
Risk and control self-assessment
Continuous monitoring of controls
Internal control review
Forensic audits
Operational readiness (product launch, new service or system)
Governance principles and practices
Ethics training
Internal control training
Participation on committees

Consistent with the IIA’s Code of Ethics, a consulting engagement should never be conducted in an attempt to circumvent
assurance engagement requirements such as the need to provide an opinion at the end of an engagement. Services once
conducted as an assurance engagement may be performed as a consulting engagement—if deemed appropriate.

Blended Engagements
Assurance and consulting services are not mutually exclusive, so an audit activity can have both assurance and consulting
components. A blended engagement may consolidate elements of assurance and consulting activities. A blended
engagement may take the form of a due diligence engagement to provide assurance and consulting services in support of
management's evaluation of an acquisition candidate, for example. In other instances, individual components of an
engagement may be specified as assurance or consulting. This blending of the two types of services can add value and
create efficiencies.

However, if assurance and consulting services are blended, it must be ensured that there are no conflicts of
independence, objectivity, or otherwise with regard to roles and responsibilities.

Topic 4: IIA Code of Ethics Conformance

This topic discusses the IIA’s Code of Ethics, including its four key components:
Integrity
Objectivity
Confidentiality
Competency

According to The IIA

In addition to reviewing the contents of this topic, students can review the following IIA materials:
IPPF Code of Ethics Implementation Guides

Purpose of the Code of Ethics

Exhibit 1-13: The Code of Ethics

The purpose of the IIA's Code of Ethics is to promote an ethical culture in the profession of internal auditing. It is
necessary and appropriate for the profession of internal auditing. The Code of Ethics extends beyond the Definition of
Internal Auditing to include two essential components:
Principles that are relevant to the profession and practice of internal auditing.
Rules of Conduct that describe behavior norms expected of internal auditors. These rules are an aid to interpreting the
Principles into practical applications and are intended to guide the ethical conduct of internal auditors.

The Code of Ethics applies to both entities and individuals that perform internal audit services. The placement of the Code
of Ethics within the IPPF is shown in Exhibit 1-13.
According to The IIA
Code of Ethics
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an
organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Key Point
It is especially important for the CAE to uphold the Code of Ethics, thereby setting the tone for the value of ethics among
the team.

The fact that a particular conduct is not mentioned in the Rules of Conduct does not prevent it from being unacceptable or
discreditable and, therefore, the member, certification holder, or candidate can be liable for disciplinary action.

We will now focus on each of the four main principles in the Code of Ethics, starting with integrity.

Integrity
The Code of Ethics describes integrity as follows:

The integrity of internal auditors establishes trust and thus provides the basis for reliance on their
judgment.

The Rules of Conduct specify that internal auditors:

1. Shall perform their work with honesty, diligence, and responsibility.
2. Shall observe the law and make disclosures expected by the law and the profession.
3. Shall not knowingly be a party to any illegal activity or engage in acts that are discreditable to the profession of internal
auditing or to the organization.
4. Shall respect and contribute to the legitimate and ethical objectives of the organization.

While the principle of integrity applies to all auditors, it may be implemented differently from the perspective of the CAE
compared to the perspective of the individual auditor.

As the leader of the internal audit activity, the CAE should cultivate a culture of integrity by acting with integrity and
adhering to the Code of Ethics. In order to assist in cultivating that culture, the CAE may:
Require internal auditors to agree in writing to follow the IIA’s Code of Ethics and any additional ethics-related policies.
Emphasize the importance of integrity by providing training that demonstrates integrity and other ethical principles.

Effectively managing the internal audit activity includes proper engagement supervision and periodic reviews of internal
auditors’ performance, which provide opportunities to discuss how integrity may be challenged and applied in real
situations. The CAE should also maintain a working environment in which internal auditors feel supported when
expressing legitimate, evidence-based observations, conclusions, and opinions, even if they are not favorable.

For the individual auditor, integrity may be considered primarily a personal attribute, making it difficult to measure, enforce,
or guarantee. In simple terms, internal auditors are expected to tell the truth and do the right thing, even when it is
uncomfortable or difficult to do so.

Objectivity
The Code of Ethics describes objectivity as follows:

Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and
communicating information about the activity or process being examined. Internal auditors make a
 balanced assessment of all the relevant circumstances and are not unduly influenced by their own
interests or by others in forming judgments.

Objectivity is defined in the IPPF glossary as:

An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that
they believe in their work product and that no quality compromises are made. Objectivity requires that
internal auditors do not subordinate their judgment on audit matters to others.

The Rules of Conduct specify that internal auditors:

1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment.
This participation includes those activities or relationships that may be in conflict with the interests of the organization.
2. Shall not accept anything that may impair or be presumed to impair their professional judgment.
3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.

The CAE may create relevant policies and procedures, for example, regarding gifts or requiring internal auditors to
complete a form disclosing potential conflicts of interest and impairments to objectivity.

For internal auditors, objectivity can be best pursued by providing a balanced assessment, ensuring that they are not
unduly influenced in forming judgments, and avoiding conflicts of interest and impairments. The Standards provide a
systematic and disciplined internal audit approach that can assist with ensuring objectivity.

Confidentiality
The Code of Ethics describes confidentiality as follows:

Internal auditors respect the value and ownership of information they receive and do not disclose
information without appropriate authority unless there is a legal or professional obligation to do so.

The Rules of Conduct specify that internal auditors:

1. Shall be prudent in the use and protection of information acquired in the course of their duties.
2. Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the
legitimate and ethical objectives of the organization.

Information includes data in physical form and in electronic form. Confidentiality involves protecting information from being
disclosed to unauthorized individuals, both within and outside the organization. Internal auditors should understand laws
and regulations related to confidentiality and information security as well as any policies specific to their organization or
the internal audit activity.

To properly follow confidentiality laws and regulations, organizations usually issue information security policies. To better
understand the impact of legal and regulatory requirements and protections, the CAE should consult with legal counsel.
Organizational policies and procedures may require that specific authorities, such as legal counsel, review and approve
business information before external release.

The CAE may implement additional policies, processes, and procedures for the internal audit activity and external
consultants to follow, typically closely aligned with the IPPF’s Mandatory Guidance. During meetings or training of the
internal audit activity, the CAE may discuss principles, rules, policies, and expectations related to confidentiality.

Ultimately, internal auditors are responsible for practicing confidentiality, which may be most evident when receiving
confidential, proprietary, or personally identifiable information during the course of an audit engagement. To comply with
the Rules of Conduct related to the confidentiality principle, internal auditors must follow established procedures for
disclosure. Internal auditors should not use insider financial, strategic, or operational knowledge to bring about personal
financial gain.

Competency
The Code of Ethics describes competency as follows:

Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit
services.

The Rules of Conduct specify that internal auditors:

1. Shall engage only in those services for which they have the necessary knowledge, skills, and experience.
2. Shall perform internal audit services in accordance with the International Standards for the Professional Practice of
Internal Auditing.
3. Shall continually improve their proficiency and the effectiveness and quality of their services.

The CAE is responsible for ensuring the competency of the internal audit activity as a whole. However, individual internal
auditors are responsible for their own conformance with the competency principle, the Rules of Conduct, and the relevant
standards and for obtaining the knowledge, skills, and experience needed to perform their responsibilities and to
continually improve their proficiency and quality of service.

To ensure the competency of the internal audit activity as a whole, the CAE should inventory the skills and experience of
individual auditors, align them with the competencies needed to fulfill the internal audit plan, and identify any gaps in
coverage. The CAE may address deficiencies by:
Providing training and mentorship.
Rotating internal audit staff.
Bringing in guest auditors.
Hiring external service providers.

The CAE should also develop polices and procedures that include regularly reviewing individual performance and should
encourage educational and training opportunities when possible.

To gain insight into their level of competency, proficiency, and effectiveness and to find areas for potential growth, internal
auditors should regularly assess themselves. Internal auditors should also seek constructive feedback from peers,
supervisors, and the CAE.

Internal auditors may build their competencies by pursuing educational and mentorship opportunities and supervised work
experiences that enable them to expand their skills. Properly supervised internal audit engagements play a large role in
facilitating the development of internal auditors, because most internal audit activities have limited resources.

Individual internal auditors are responsible for taking the necessary actions to obtain any continuing professional
education and development hours they may need. They should be aware of the current requirements for maintaining the
active status of any credentials they hold. Most certifications require the completion of ethics training and continuing
professional development.
Section B: Independence and Objectivity
This section is designed to help you:
Define independence and objectivity in terms of internal audit.
Interpret organizational independence of the internal audit activity.
Explain the importance of independence in an internal audit activity.
Explain the reporting relationships for internal auditors.
Identify whether the internal audit activity has any impairments to its independence.
Assess and maintain an individual internal auditor’s objectivity, including determining whether an individual internal
auditor has any impairments to his/her objectivity.
Analyze policies that promote objectivity.

According to The IIA

The IIA’s guidance referenced in the Challenge Exam Study Guide may be accessed using the links below. Access to
specific pages and documents varies for the public and The IIA members.
Attribute Standards: www.theiia.org/Attribute-standards
Performance Standards: www.theiia.org/Performance-standards
Standards and Guidance: www.theiia.org/Guidance
Position Papers: www.theiia.org/Position-papers
Implementation Guidance: www.theiia.org/Practiceadvisories
Practice Guides and GTAGs: www.theiia.org/Practiceguides

This section covers the crucial requirements for the internal audit activity to be independent and individual internal auditors
to be objective. Lacking either of these crucial traits can render the results of engagements and the recommendations of
internal audit unreliable and inaccurate, to the detriment of the organization.

Topic 1: Organizational Independence

This topic discusses the organizational independence of the internal audit activity, including the importance of
independence and functional reporting.

According to The IIA

In addition to reviewing the contents of this topic, students can review the following IIA materials:
Implementation Guidance for Standards 1100, 1110, 1111, 1112

Organizational Independence

According to The IIA

Attribute Standard 1110, “Organizational Independence”
The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its
responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational
independence of the internal audit activity.

Independence is defined in the IPPF glossary as “the freedom from conditions that threaten the ability of the internal audit
activity to carry out internal audit responsibilities in an unbiased manner.” These conditions often stem from the
organizational placement and assigned responsibilities of internal audit.

The assigned roles and responsibilities for internal audit vary from organization to organization based on factors such as:
Organizational size.
Type of operations.
 Capital structure.
Legal and regulatory environment.

If the internal audit activity does not have sufficient organizational status and autonomy, the ability to effectively manage
the independence of its work and reports is subject to question.

Standard 1110 is effectively achieved when the CAE reports functionally to the board. Some examples of this functional
reporting involve the board:
Approving the internal audit charter.
Approving the risk-based internal audit plan.
Approving the internal audit budget and resource plan.
Receiving communications from the CAE on the internal audit activity’s performance relative to its plan and other
matters.
Evaluation and compensation of the CAE.
Appointment and removal of the CAE.

According to The IIA

Implementation Standard 1110.A1 (Assurance Engagements)
The internal audit activity must be free from interference in determining the scope of internal auditing, performing work,
and communicating results. The chief audit executive must disclose such interference to the board and discuss the
implications.

Functional oversight requires the board to create the right working conditions to permit the operation of an independent
and effective internal audit activity. The board monitors the ability of the internal audit activity to operate independently.

The IIA recommends that the CAE report administratively to the CEO, indicating that the CAE is in a senior position with
the authority to perform duties unimpeded. However, in some cases, the CAE has an administrative reporting line to a
member of senior management, which enables the requisite stature and authority of internal audit to fulfill responsibilities.
The essential point is that the CAE will have unrestricted access to report sensitive matters to the highest level of
governance in the organization.

Generally, the CAE, the board, and senior management discuss and agree upon internal audit's responsibility, authority,
and expectations as well as the necessary organizational placement of internal audit and CAE reporting relationships to
enable internal audit to fulfill its duties. The internal audit charter will reflect the decisions reached during those
discussions.

According to The IIA

Attribute Standard 1111, “Direct Interaction With the Board”
The chief audit executive must communicate and interact directly with the board.

In addition to the administrative reporting relationship to the CEO and/or senior management, the CAE typically has a
direct functional reporting relationship with the board or audit committee, as seen in Exhibit 1-14.
 Exhibit 1-14: Internal Audit Reporting Structure

With such a relationship, the CAE will have many opportunities to communicate and interact directly with the board, such
as during audit committee and/or full board meetings, as well as through the ability to directly contact the chair or any
member of the board. Access to these meetings allows the CAE to absorb strategic business and operational
developments as well as raise high-level risk, system, procedure, or control issues at an early stage. A private meeting
with the board, without senior management present, is formally conducted at least annually to discuss matters and issues.

CAEs without direct access to the board can share Standard 1111 (as well as Standards 1100 and 1110), recommended
governance practices, and board/audit committee best practice studies to pursue a stronger relationship and direct
access. CAEs in this situation may consider written communications to the board until a direct line of communication is
available.

In addition to the audit committee, the board and/or senior management also play a major role in setting the tone and
substance of the internal audit activity.

According to The IIA

Attribute Standard 1100, “Independence and Objectivity”
The internal audit activity must be independent, and internal auditors must be objective in performing their work.

As seen in Standard 1100, independence is viewed as an attribute of the internal audit activity, whereas objectivity is an
attribute of the individual auditor. The attribute of the internal audit activity relates to its organizational independence.

Objectivity
Objectivity is defined in the IPPF glossary as:

An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that
they believe in their work product and that no quality compromises are made. Objectivity requires that
internal auditors do not subordinate their judgment on audit matters to others.

Maintaining this impartial state of mind and avoiding conflicts of interest is prerequisite to any value being gained from
internal audit work.

It is the responsibility of the CAE to ensure that internal audit staff are not placed in situations where they feel unable to
make objective professional judgments. The CAE should monitor potential conflicts of interest and bias within the internal
audit activity and make assignments accordingly to avoid problems.

One strategy for an individual internal auditor to ensure that he or she is acting objectively is to consult with others in the
internal audit activity when addressing potentially sensitive areas.

The CAE may use an internal audit policy manual or handbook that describes expectations and requirements for an
unbiased mindset. To reinforce the importance of those policies, some CAEs will hold routine workshops or training on
fundamental concepts.
CAE Roles Beyond Internal Auditing
The IIA recommends that the CAE not have operational responsibilities beyond the internal audit activity. If the CAE does
have other operational responsibilities, such as risk management or compliance, the CAE typically discusses the
independence concerns and the potential objectivity impairment with the board and senior management.

According to The IIA

Attribute Standard 1112, “Chief Audit Executive Roles Beyond Internal Auditing”
Where the chief audit executive has or is expected to have roles and/or responsibilities that fall outside of internal
auditing, safeguards must be in place to limit impairments to independence and objectivity.

To address the risks of impairment in situations where the CAE is asked to take on a role outside of internal audit, the CAE
should gain an understanding of any proposed role that falls outside of internal auditing and speak with senior
management and the board about the reporting relationships, responsibilities, and expectations related to the role.

In situations where the CAE has roles outside of internal audit, the board and/or senior management will implement
safeguards to limit the impairment. Examples include:
Periodically evaluating CAE responsibilities.
Developing alternate processes to obtain assurance related to the additional areas of responsibility.
Being aware of the potential objectivity impairment when considering internal audit risk assessments.

When the CAE is asked to take on a role outside of internal audit, documentation of any safeguards that were established
to address potential impairments may be used to demonstrate conformance with Standard 1112. The CAE can also
demonstrate conformance by showing that other assurance providers have assessed the areas where the CAE had
undertaken additional roles beyond internal auditing.

Ensuring Independence and Objectivity in Small Audit Activities

The 1100 section of the Standards is an area where there could be a high degree of challenge for smaller internal audit
activities. Small audit shops may encounter challenges with independence and objectivity because of the reporting
structure or the newness of the activity, closer associations with management, weaker organizational governance, and the
existence of additional responsibilities outside the core activity.

The IIA suggests the following approaches to addressing this challenge:

The CAE must maintain open communications with the board and senior management regarding the critical need for
auditor independence and objectivity.
In areas where auditors may have been given operational responsibilities, the CAE should provide various alternatives
for how those areas might be audited.
In organizations where close working relationships are expected, engagements should always be performed with
objectivity in mind.
When issuing a report where independence or objectivity could not be achieved at an acceptable level, the CAE must
disclose that fact in the audit report, including the reasons and the related impact.

Topic 2: Impairments to Independence

This topic discusses what impairments may hinder the independence of the internal audit activity. This can be caused by
issues stemming from the individual auditor’s personal impairments, such as conflict of interest, as well as structural and
operational limits caused by reporting structures and resource limitations.
According to The IIA
In addition to reviewing the contents of this topic, students can review the following IIA materials:
Implementation Guidance for Standard 1130
Practice Guide, “Interaction with the Board”

Impairments to Independence

According to The IIA

Attribute Standard 1130, “Impairment to Independence or Objectivity”
If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to
appropriate parties. The nature of the disclosure will depend on the impairment.

Disclosing impairments to independence or objectivity, in accordance with Standard 1130, gives auditors the opportunity to
perform the requested service and provide the needed audit information but at the same time empowers the customers to
determine for themselves whether or not to rely on the audit results. This must be disclosed before accepting consulting
engagements, in accordance with Implementation Standard 1130.C2.

According to The IIA

Implementation Standard 1130.C2 (Consulting Engagements)
If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services,
disclosure must be made to the engagement client prior to accepting the engagement.

Examples of impairment to organizational independence and objectivity may include:

Personal conflict of interest.
Scope limitation.
Restrictions on access to records, personnel, and properties.
Resource limitations.
Assurance services provided within a period after an internal audit consulting engagement.

The final example may be completed without impairment by following Implementation Standard 1130.A3.

According to The IIA

Implementation Standard 1130.A3 (Assurance Engagements)
The internal audit activity may provide assurance services where it had previously performed consulting services,
provided the nature of the consulting did not impair objectivity and provided the internal objectivity is managed when
assigning resources to the engagement.

To fully understand and appreciate independence and objectivity, it is important that internal auditors consider the
perspectives of their various stakeholders and the conditions that could be perceived as undermining or appearing to
undermine independence and objectivity.

Examples of organizational independence impairments include the following, which can also undermine internal auditor
objectivity:
The CAE has broader functional responsibility than internal audit and executes an audit of a functional area that is also
under the CAE’s oversight.
The CAE’s supervisor has broader responsibility than internal audit, and the CAE executes an audit within his or her
supervisor’s functional responsibility.
The CAE does not have direct communication or interaction with the board.
The budget for the internal audit activity is reduced to the point that internal audit cannot fulfill its responsibilities as
 outlined in the charter.

The first example is specifically governed by Implementation Standard 1130.A2, which requires that audits in an area
under the CAE's oversight be overseen by a party outside the internal audit activity.

According to The IIA

Implementation Standard 1130.A2 (Assurance Engagements)
Assurance engagements for functions over which the chief audit executive has responsibility must be overseen by a
party outside the internal audit activity.

When internal auditors observe what they believe to be an impairment, typically they will begin to address it by discussing
the situation with an internal audit manager or the CAE to determine whether it is truly an impairment and how to best
proceed.

The determination of who must receive the details of an impairment is dependent on the expectations of the internal audit
activity and the CAE responsibilities to senior management and the board as described in the internal audit charter as well
as the nature of the impairment. This requires that the CAE have a clear understanding of independence and objectivity
requirements.

Documents that may demonstrate conformance with Standard 1130 include the internal audit policy manual, board
meeting minutes, memos to file, or reports that contain such disclosures of impairments to independence and objectivity.

Topic 3: Individual Internal Auditor’s Objectivity

This topic discusses how the internal audit activity should monitor and promote objectivity for individual internal auditors.
This includes policy decisions that the CAE may make that will greatly affect objectivity, such as compensation and
promotion policies.

According to The IIA

In addition to reviewing the contents of this topic, students can review the following IIA materials:
Implementation Guidance for Standards 1120 and 1130

Assessing and Maintaining Objectivity

According to The IIA

Attribute Standard 1120, “Individual Objectivity”
Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.

Conflict of interest is a situation in which an internal auditor has a competing professional or personal interest. It exists
even if no unethical or improper act results. It can create an appearance of impropriety that can undermine confidence in
the internal auditor, the internal audit activity, and the profession.

In order to implement Standard 1120, the CAE will first want to understand policies or activities within the organization and
within internal audit that could enhance or hinder objectivity.

The CAE may additionally choose to include training on professional skepticism.

Individual internal auditors may ensure that they are acting objectively by consulting with others within the internal audit
activity when addressing potentially sensitive areas.
According to The IIA
Implementation Standard 1130.A1 (Assurance Engagements)
Internal auditors must refrain from assessing specific operations for which they were previously responsible.
Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the
internal auditor had responsibility within the previous year.

In order to follow Implementation Standard 1130.A1, the CAE or audit team management may choose to discuss details of
upcoming assignments with potential team members, including the individuals and departments involved, so that the CAE
can explore if there is a conflict that would impair or appear to impair an internal auditor’s objectivity. Internal auditors are
encouraged to share any concerns they may have so that the CAE or audit team management can determine whether the
internal auditor may participate in the engagement.

In addition to the internal policy manual, conformance with Standard 1120 may be evidenced by training records and also
through signed acknowledgment forms disclosing the existence (or nonexistence) of conflicts. Engagement workpapers
documenting team assignments could be compared to the acknowledgment forms to confirm that known conflicts were
avoided.

Topic 4: Policies Promoting Objectivity

This topic discusses the importance of policies that promote objectivity within the internal audit activity, which are rooted in
the internal audit charter.

According to The IIA

In addition to reviewing the contents of this topic, students can review the following IIA materials:
Implementation Guidance for Standards 1120 and 1130

Policies Promoting Objectivity

To fully understand and appreciate independence and objectivity, internal auditors should consider the perspectives of
their various stakeholders and the conditions that could be perceived as undermining these factors.

The IIA Model Charter features a section on independence and objectivity that sets out baseline policies and expectations
for the internal audit activity and discusses how they will be maintained. In addition to dictating that internal audit is
independent and objective, the charter discusses all other areas of responsibility of internal audit, including any potential
areas that could impair objectivity. It should discuss how to overcome those potential impairments, if applicable.

Often the CAE will develop an internal audit policy manual or handbook that includes a discussion of organizational
independence and internal auditor objectivity, the nature of threats to objectivity, and how internal auditors should handle
potential impairments. The manual will often describe the appropriate actions for an auditor to take should he or she
become aware of or concerned about such impairments. Categories of threats to objectivity include:

Self-review. These threats may arise when an auditor reviews his or her own work.

Social pressure. These threats may occur when an auditor is exposed to, or perceives that he or she is exposed to,
pressures from relevant groups.

Major economic interest. This threat may arise when the auditor has a major, direct economic stake in the
performance of the client or fears that significant negative findings could jeopardize the entity’s future and hence the
auditor’s own interest as an employee. It may also arise due to performance incentives related to the area under
review or when the audit concerns the work or department of an individual who may subsequently make decisions that
directly affect the auditor’s employment or salary.
Personal relationship. This may arise when an auditor is a close relative or friend of the manager or an employee of
the audit customer unit.

Familiarity. This threat may occur due to an auditor’s long-term relationship with the audit customer.

Cultural, racial, and gender biases. This threat may occur when auditors are biased against another culture, race, or
gender.

Cognitive biases. This threat may arise from an unconscious and unintentional psychological bias in interpreting
information.
Section C: Proficiency and Due Professional Care
This section is designed to help you:
Identify and describe the required knowledge, skills, and competencies for an internal audit activity and how an
organization develops and/or procures them.
Identify and describe the required knowledge, skills, and competencies that an internal auditor needs to possess to
perform his/her individual responsibilities.
Explain how to exercise due professional care in an internal audit activity.
Describe the importance of professional development and formal certification for internal auditors.
Explain how an individual internal auditor’s competency is demonstrated through continuing professional
development.

According to The IIA

The IIA’s guidance referenced in the Challenge Exam Study Guide may be accessed using the links below. Access to
specific pages and documents varies for the public and The IIA members.
Attribute Standards: www.theiia.org/Attribute-standards
Performance Standards: www.theiia.org/Performance-standards
Standards and Guidance: www.theiia.org/Guidance
Position Papers: www.theiia.org/Position-papers
Implementation Guidance: www.theiia.org/Practiceadvisories
Practice Guides and GTAGs: www.theiia.org/Practiceguides

This section covers the necessary proficiency and due professional care that are required for both internal auditors and
the internal audit activity as a whole. Skills, knowledge, and competencies important to the profession of internal audit
must be developed and maintained by internal auditors and must be maintained or sourced from an external provider for
the internal audit activity to successfully complete necessary engagements. Due professional care ensures that the
internal audit activity can rely on all internal auditors to apply the care and skill of a reasonably prudent and competent
auditor.

Topic 1: Knowledge, Skills, and Competencies

This topic discusses the knowledge, skills, and due professional care that a successful internal audit activity needs to fulfill
its responsibilities and how individual internal auditors may develop those skills. It also covers the responsibilities of the
CAE pertaining to the internal audit activity’s ability to perform engagements with necessary proficiency.

According to The IIA

In addition to reviewing the contents of this topic, students can review the following IIA materials:
Implementation Guidance for Standard 1200
IIA Global Internal Audit Competency Framework

Internal Audit Knowledge, Skills, and Competencies

According to The IIA

Attribute Standard 1200, “Proficiency and Due Professional Care”
Engagements must be performed with proficiency and due professional care.

Proficiency is a collective term that refers to the knowledge, skills, and other competencies required of internal auditors
to effectively carry out their professional responsibilities. In order to enable relevant advice and recommendations,
proficiency encompasses:
 Current activities.
Trends.
Emerging issues.

Changes that may affect the industry or the internal audit profession may be learned about via continuing professional
development. The CAE may help ensure the internal audit activity’s overall proficiency in this regard.

Internal auditors generally develop individual proficiency throughout their careers:

By obtaining and maintaining appropriate certifications.
By gaining experience.
Through professional education, including continuing professional development.

Internal auditors must be aware of continuing education requirements for any certifications they maintain.

Due professional care requires the understanding of the IPPF’s approach to internal auditing as well as organization-
specific policies. Implementation Standard 1220.A1 discusses what must be considered by internal auditors when
exercising due professional care.

According to The IIA

Implementation Standard 1220.A1 (Assurance Engagements)
Internal auditors must exercise due professional care by considering the:
Extent of work needed to achieve the engagement’s objectives.
Relative complexity, materiality, or significance of matters to which assurance procedures are applied.
Adequacy and effectiveness of governance, risk management, and control processes.
Probability of significant errors, fraud, or noncompliance.
Cost of assurance in relation to potential benefits.

For internal auditors, due professional care requires compliance with the IIA’s Code of Ethics and may entail compliance to
the organization’s code of conduct and any additional codes of conduct relevant to other professional designations
attained.

The CAE is responsible for ensuring conformance with Standard 1200 by the internal audit activity as a whole. The CAE
establishes policies and procedures that enable internal auditors to perform engagements with proficiency and due
professional care as part of managing the internal audit activity.

The CAE may use The IIA’s Global Internal Audit Competency Framework or a similar benchmark to establish the criteria
by which to assess the proficiency of internal auditors. The criteria may be used to:
Create job descriptions.
Create an inventory of the competencies needed with the internal audit activity.
Develop a strategy for:
Recruiting.
Assigning.
Training.
Professional development.

The CAE generally thinks about the alignment between the knowledge, skills, and other competencies needed to complete
the internal audit plan and the resources available among the internal audit activity and other providers of assurance and
consulting services.

Conformance with Standard 1200 could be demonstrated using any of the following items:
Competency assessments of the internal audit activity
 Records of a recruitment and training strategy, job descriptions, and resumes
Internal audit policies and procedures and workpaper templates
Evidence that internal audit policies and procedures were communicated and signed acknowledgment that the internal
audit staff understands them
Evidence supporting annual declaration related to The IIA’s Code of Ethics and the organization’s code of conduct
The internal audit plan and engagement plans, which demonstrate the sufficient and appropriate allocation of internal
audit staff

Topic 2: Knowledge and Competency

This topic discusses how internal auditors may show that they possess the knowledge and competencies required by the
internal audit activity and how organizations and individuals may use competency assessment tools to identify and
develop missing competencies.

According to The IIA

In addition to reviewing the contents of this topic, students can review the following IIA materials:
Implementation Guidance for Standard 1210
IIA Global Internal Audit Competency Framework

Demonstrating Proficiency

According to The IIA

Attribute Standard 1210, “Proficiency”
Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual
responsibilities. The internal audit activity collectively must possess or obtain the knowledge, skills, and other
competencies needed to perform its responsibilities.

Internal auditors are encouraged to demonstrate their proficiency by obtaining appropriate professional certifications and
qualifications. The IIA’s Global Internal Audit Competency Framework defines the core competencies needed to fulfill IPPF
requirements for all occupational levels of the internal audit profession. The Competency Framework may be used by
internal auditors as a basis of self-assessment.

To build and maintain the proficiency of the internal audit activity, the CAE may develop a competency assessment tool or
skills assessment based on the Competency Framework or another benchmark. When using a competency tool to identify
proficiency gaps in the internal audit activity, the CAE should consider risks related to fraud and IT as well as technology-
based audit techniques, as required by Standards 1210.A2 and 1210.A3.

According to The IIA

Implementation Standard 1210.A2 (Assurance Engagements)
Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by
the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and
investigating fraud.

According to The IIA

Implementation Standard 1210.A3 (Assurance Engagements)
Internal auditors must have sufficient knowledge of key information technology risks and controls and available
technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to
have the expertise of an internal auditor whose primary responsibility is technology auditing.
Once the CAE has identified gaps in the internal audit activity’s collective proficiency, he or she may also use the
Competency Framework to develop plans for filling coverage gaps through hiring, training, outsourcing, and other
methods, as described by Standard 1210.A1.

According to The IIA

Implementation Standard 1210.A1 (Assurance Engagements)
The chief audit executive must obtain competent advice and assistance if the internal auditors lack the knowledge,
skills, or other competencies needed to perform all or part of the engagement.

The CAE can encourage professional development of internal auditors through:

On-the-job training.
Attendance at professional conferences and seminars.
Encouraging the pursuit of professional certifications.

The proficiency and experience of internal auditors help determine the extent of supervision required for specific audit
engagements, as described by Standard 2340. When consulting engagements are being considered and the available
internal auditors do not have the required proficiencies, the CAE must decline the engagement or pursue other options, as
described in Standard 1210.C1.

According to The IIA

Implementation Standard 1210.C1 (Consulting Engagements)
The chief audit executive must decline the consulting engagement or obtain competent advice and assistance if the
internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.

Conformance with Standard 1210 may be evidenced through different means for individual internal auditors, the CAE, and
the internal audit activity as a whole.

Individual internal auditors may demonstrate conformance by:

Resume or curriculum vitae.
Records of certifications and continuing professional development.

The CAE may demonstrate conformance through:

The use of a competency assessment tool.
The development of:
Internal audit policies.
Internal audit procedures.
Training materials.

Conformance for the internal audit activity as a whole may be demonstrated by:
An internal audit plan that includes an analysis of resource requirements.
An inventory of available audit staff skills or individual profiles listing qualifications.
An assurance map with a list of qualifications of service providers on which the internal audit activity relies.
Documented results of internal assessments.

Technical and Soft Skills

Technical skills are the hard skills needed to perform the duties of an internal auditor. Some examples of technical skills
that may be useful to the internal audit activity are:
Accounting.
Risk management assurance.
 Information technology.
Data mining and analytics.
Negotiation.
Change facilitation capabilities.
Business/process knowledge.

Personal (soft) skills can affect how the recommendations that arise from the applications of technical skills impact the
recipients of assurance and advisory services. Some examples of soft skills that may be useful to the internal audit activity
are:
Written communication.
Oral communication.
Analytical skills.
Critical thinking.
Persuasion and collaboration.

Topic 3: Due Professional Care

This topic discusses the required due professional care that internal auditors must exercise, including how following the
IPPF’s systematic and disciplined approach can help auditors apply due professional care.

According to The IIA

In addition to reviewing the contents of this topic, students can review the following IIA materials:
Implementation Guidance for Standard 1220
Practice Guide, “Measuring Internal Audit Effectiveness and Efficiency”
IIA Global Internal Audit Competency Framework

Demonstrating Due Professional Care

According to The IIA

Attribute Standard 1220, “Due Professional Care”
Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. Due
professional care does not imply infallibility.

Obtaining appropriate education, experience, certifications, and training helps internal auditors develop the level of skill
and expertise required to perform their duties with due professional care. Additionally, individual auditors should
understand and apply the Mandatory Guidance of the IPPF and may find it helpful to become familiar with the core
competencies described in the IIA’s Global Internal Audit Competency Framework. Conformance with the IIA’s Code of
Ethics is required, and conformance with the organization’s code of conduct and other codes of conduct may also apply.

At the engagement level, due professional care involves comprehending:

The objectives of the engagement.
The scope of the engagement.
The competencies required to execute the audit work.
Knowledge of any policies and procedures specific to the internal audit activity and the organization.

By following the systematic and disciplined approach of the IPPF and the internal audit activity’s policies and procedures,
internal auditors essentially apply due professional care. However, what constitutes due professional care partially
depends on the complexities of the engagement.
Key Point
Internal auditors are not expected to be infallible and are not expected to give absolute assurance that noncompliance or
irregularities do not exist.

Implementation Standard 1220.A1, shown elsewhere, and Implementation Standards 1220.A2, 1220.A3, and 1220.C1,
shown below, describe some of the elements that internal auditors must consider in exercising due professional care.

According to The IIA

Implementation Standard 1220.A2 (Assurance Engagements)
In exercising due professional care internal auditors must consider the use of technology-based audit and other data
analysis techniques.

According to The IIA

Implementation Standard 1220.A3 (Assurance Engagements)
Internal auditors must be alert to the significant risks that might affect objectives, operations, or resources. However,
assurance procedures alone, even when performed with due professional care, do not guarantee that all significant
risks will be identified.

According to The IIA

Implementation Standard 1220.C1 (Consulting Engagements)
Internal auditors must exercise due professional care during a consulting engagement by considering the:
Needs and expectations of clients, including the nature, timing, and communication of engagement results.
Relative complexity and extent of work needed to achieve the engagement’s objectives.
Cost of the consulting engagement in relation to potential benefits.

The CAE assumes overall responsibility for ensuring that due professional care is applied throughout the internal audit
activity. The CAE typically develops measurement tools, metrics, and a process to assess the performance of individual
internal auditors and the internal audit activity as whole.

Conformance with Standard 1220 may be reflected in engagement plans, work programs, and workpapers as well as
through performance reviews, post-engagement staff meetings, and feedback from audit clients.

Topic 4: Continuing Professional Development

This topic discusses the crucial task of continuing professional development and how it helps individual auditors
demonstrate competency while enhancing the capabilities of the internal audit activity as a whole.

According to The IIA

In addition to reviewing the contents of this topic, students can review the following IIA materials:
Implementation Guidance for Standard 1230

Continuing Professional Development and Competency

According to The IIA

Attribute Standard 1230, “Continuing Professional Development”
Internal auditors must enhance their knowledge, skills, and other competencies through continuing professional
development.

The internal auditor is ultimately responsible for conforming with Standard 1230. Internal auditors may want to reflect on:
 Their job requirements.
Training policies.
Professional education requirements of their profession, organization, or industry.
Any certifications or areas of specialization.
Feedback from recent performance reviews.
Assessment results regarding conformance with the Mandatory Guidance of the IPPF.
Results of self-assessments.

Internal auditors may use a self-assessment tool as the basis for creating a professional development plan. The plan is
typically discussed with the CAE and may be used as the basis for the creation of key performance indicators to be used
in supervisory reviews, client surveys, and annual performance reviews. The plan may encompass:
On-the-job training.
Coaching.
Mentoring.
Other internal and external training.
Volunteering.
Certification opportunities.

Continuing professional development may lead to additional professional competencies that could enhance internal
audit work in specific areas. Opportunities to pursue professional development include participating in:
Conferences.
Seminars.
Training programs.
Online courses and webinars.
Self-study programs.
Classroom courses.
Conducting research projects.
Volunteering with professional organizations.
Pursuing professional certifications, such as the CIA.

If internal audit client surveys reveal a concern regarding internal auditors’ business acumen, the CAE may establish a
training and development policy to support continuing professional development. The policy may specify a minimum
number of hours of training for each auditor.

To ensure that their internal audit knowledge stays current, internal auditors may seek guidance from the IIA.

Internal auditors may demonstrate conformance with Standard 1230 by retaining documentation or evidence of any of the
following:
Self-assessments against a competency framework or benchmark
Professional development and training plans
Memberships and participation in professional organizations
Subscriptions to sources of professional information
Completed training
Section D: Quality Assurance and Improvement Program
This section is designed to help you:
Describe the required elements of a quality assurance and improvement program (QAIP), including both internal
and external assessments.
Describe the requirement of reporting the results of the QAIP to the board or other governing body.
Identify appropriate disclosure of conformance versus nonconformance with The IIA’s International Standards for
the Professional Practice of Internal Auditing.

According to The IIA

The IIA’s guidance referenced in the Challenge Exam Study Guide may be accessed using the links below. Access to
specific pages and documents varies for the public and The IIA members.
Attribute Standards: www.theiia.org/Attribute-standards
Performance Standards: www.theiia.org/Performance-standards
Standards and Guidance: www.theiia.org/Guidance
Position Papers: www.theiia.org/Position-papers
Implementation Guidance: www.theiia.org/Practiceadvisories
Practice Guides and GTAGs: www.theiia.org/Practiceguides

The topics in this section address the mandatory requirement for the internal audit activity to develop and periodically
perform the processes in a quality assurance and improvement program. Details covered include the required elements of
these programs, including internal and external assessments, the reporting requirements, and how to disclose
conformance versus nonconformance with the Code of Ethics or Standards.

Topic 1: QAIP Required Elements

This topic discusses the importance of quality in the internal audit activity and how quality can be delivered using a quality
assurance and improvement program (QAIP) as mandated by Standard 1300. Internal assessments (including ongoing
monitoring and periodic self-assessments) and external assessments are described as well as how to establish a QAIP
and how such a program and other tools can be used to help measure internal audit activity effectiveness and efficiency.

According to The IIA

In addition to reviewing the contents of this topic, students can review the following IIA materials:
Implementation Guidance for 1300 series
Practice Guide, “Quality Assurance and Improvement Program”
Practice Guide, “Measuring Internal Audit Effectiveness and Efficiency”

Quality and the QAIP

According to The IIA

Attribute Standard 1300, “Quality Assurance and Improvement Program”
The chief audit executive must develop and maintain a quality assurance and improvement program that covers all
aspects of the internal audit activity.

Organizations undergo refinement, and internal processes change and evolve. As an organization changes, auditing
services must keep pace. To ensure its consistent relevance and quality, the internal audit activity is required to have a
quality assurance and improvement program (QAIP) in place.
Key Point
The mandatory scope of a QAIP is limited to the mandatory elements of the IPPF. This includes the Standards, the Code
of Ethics, the Core Principles for the Professional Practice of Internal Auditing, and the Definition of Internal Auditing.
Assessors can evaluate against recommended guidance (implementation guidance and supplemental guidance) or
make additional improvement recommendations, but these are not mandatory.

Let’s break down the interpretation (shown in italics) and implementation guidance or other IIA guidance (the sub-bullets)
for Standard 1300:

A quality assurance and improvement program is designed to enable an evaluation of the internal audit activity’s
conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors
apply the Code of Ethics. (The term “conformance to the IPPF” is used in the rest of this topic to refer to conformance
to these and other mandatory elements of the IPPF.)
A well-developed QAIP helps embed the concept of quality in the internal audit activity and operations.
Following a general methodology helps ensure quality and conformance to the IPPF.
It is crucial that the CAE regularly reviews the IPPF and is aware of any changes that may need to be
communicated throughout the internal audit activity.

The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for
improvement.
The QAIP needs to be periodically evaluated and updated to ensure that it adds value.
A QAIP is a key way to measure the effectiveness and efficiency of the internal audit activity.

The chief audit executive should encourage board oversight in the quality assurance and improvement program.

Quality
What is quality?
Quality is the degree to which a product, service, or process meets the customer’s expectations—the degree to which
it is fit for purpose.
Rather than being an absolute, quality is relative.
Quality does not just happen. It is the combination of the right people, the right systems, and a commitment to
excellence.
Quality is driven by the leaders of the organization, but it is implemented by everyone at the organization.
A formal, structured approach is required to ensure quality.
Quality in internal audit is an obligation to meet customer expectations and to meet professional responsibilities by
conforming to the IIA’s Standards and Code of Ethics.
Internal audit quality includes operating with proficiency and due professional care, undertaking continuing professional
development, and conforming to a set of recognized standards.

Quality can be assured by implementing a quality assurance program and adhering to its requirements on an ongoing
basis. Anderson et al. in Internal Auditing define quality assurance as “the process of assuring that an internal audit
function operates according to a set of standards defining the specific elements that must be present to ensure that the
findings of the internal audit function are legitimate.”

A QAIP ensures that quality is built in to, rather than on to, internal audit operations. After all, “demonstrates quality and
continuous improvement” is one of the Core Principles for the Professional Practice of Internal Auditing.

Note that “conformance” in regard to the Standards is a technical term from the quality management discipline that implies
a principles-based approach. It is not about complying with the letter of the standard (i.e., it is not rules-based). Someone
who is in conformance is expected to achieve the spirit of the standard.

Continuous Improvement
Continuous improvement is an ongoing, cyclical process of regularly evaluating and working to improve a product,
service, or process, either by a series of incremental improvements or by larger initiatives that may result in breakthrough
improvements. A common way to establish continuous improvement in a QAIP is to use a planned, methodological
structure such as the Deming cycle, also called the Plan, Do, Check, Act model, as shown in Exhibit 1-15.

Exhibit 1-15: Deming Cycle (Plan, Do, Check, Act)

As quality guru W. Edwards Deming said, “It is not enough to do your best. You must know what to do, and then do your
best.” Using a sound measurement and feedback loop provides information on what the internal audit activity or internal
auditor needs to do to continually improve.

Embedding continuous improvement into internal audit operations requires:

Setting up a performance measurement framework.
Regularly reporting on quality metrics and deviations from targets so that corrective actions can be planned and
implemented as needed.
Periodically reviewing quality criteria themselves for continued validity.

Continuous improvement is necessary regardless of whether the internal audit activity is new or established. It is a
continuing journey that can add value regardless of internal audit complexity level.

QAIP
A QAIP is an ongoing and periodic assessment of all assurance and consulting work performed by the internal audit
activity. These ongoing and periodic assessments are composed of:
Rigorous, comprehensive processes.
Continuous supervision and testing of internal audit assurance and consulting work.
Periodic evaluations of conformance to the IPPF.
Ongoing measurements and analyses, assessments, and implementation of improvements.

QAIP evaluation areas can be at the internal audit activity level and the internal audit engagement level. The following
things need to be evaluated (some of which are at the internal audit activity level only):
Conformance to the IPPF
Adequacy of the internal audit activity’s charter, goals, objectives, policies, and procedures
Completeness of coverage of the entire audit universe
Internal audit activity’s contribution to the organization’s governance, risk management, and control (GRC) processes
Internal audit activity compliance with applicable laws, regulations, and government or industry standards
Internal audit operational risks
 Effectiveness of continuous improvement activities and adoption of best practices
Whether the internal audit activity adds value, improves the organization’s operations, and contributes to the
attainment of objectives

To implement Standard 1300, the CAE must consider requirements related to its five essential components:
Internal assessments
External assessments
Communication of QAIP results
Proper use of a conformance statement
Disclosure of nonconformance

Note that Standard 1310 requires both internal and external assessments.

According to The IIA

Attribute Standard 1310, “Requirements of the Quality Assurance and Improvement Program”
The quality assurance and improvement program must include both internal and external assessments.

In preparing to do internal assessments or arranging for external assessments, the CAE is responsible for:
Gaining awareness of prior results from both internal and external assessments.
Implementing any action plans that come out of internal or external assessments.

General considerations for the scope of internal and external assessments include:
Ensuring that the scope falls within the responsibilities of the CAE and the internal audit activity as documented in the
internal audit charter.
Considering the expectations of senior management, the internal audit activity, and other stakeholders.
Assessing internal audit practices against the Standards and any internal audit–related regulatory requirements.

Establishing a QAIP Program

Exhibit 1-16 shows the QAIP framework adapted from the IIA’s “Quality Assurance and Improvement Program” Practice
Guide.

Exhibit 1-16: QAIP Framework

While CAEs may develop whatever framework works for their internal audit activity, this framework builds quality into the
activity by explicitly addressing internal audit governance, professional practice, and communication programs. Exhibit 1-
17 expands upon these programs.

Exhibit 1-17: Program-Based QAIP Structure

 Exhibit 1-17: Program-Based QAIP Structure

Governance Professional Practice Communication

Internal audit charter Rules and responsibilities Communicating results

IPPF Risk-based audit planning Follow-up
Legislation Other assurance Stakeholder
Independence and providers communications
objectivity Audit engagement
Risk management planning
Resourcing Performing the
engagement
Proficiency and due
professional care
Quality assurance

For each of the program elements listed in Exhibit 1-17:

1. An objective is defined.
2. Criteria are identified for each objective. (Their number may vary by objective.)
3. A quality assurance process (methodology) is developed for each criterion.
4. An assessment is made per the quality assurance process.
5. Results are captured back into the continuous improvement cycle and reported to stakeholders.

The right side of Exhibit 1-16 shows the components of the QAIP program. These processes provide quality assurance
over the entire internal audit activity and result in findings, observations, and recommendations as well as reporting and
follow-up steps. The arrows around the right and top of the diagram show how internal audit processes and the QAIP
program are reviewed to keep them current and continually improved for efficiency and effectiveness.

QAIP Internal Assessments (Standard 1311)

According to The IIA

Attribute Standard 1311, “Internal Assessments”
Internal assessments must include:
Ongoing monitoring of the performance of the internal audit activity.
Periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of
internal audit practices.

Note that part of the interpretation of Standard 1311 indicates that sufficient knowledge requires at least an understanding
of all elements of the International Professional Practices Framework.

Internal assessments in a QAIP program address both the internal audit activity as a whole and the internal audit
engagement level.

At the internal audit activity or organization-wide level, the CAE provides assurance that:
Policies and procedures are formally documented and are in conformance with the IPPF, and audit work conforms to
these policies and procedures.
Audit work achieves the general purposes and responsibilities described in the internal audit charter.
Audit work is performed per quality standards and has adequate supervision.
Audit work conforms to the IPPF or at least correctly reflects the internal audit activity’s statement of conformance (e.g.,
partially conforms).
Internal audit work meets stakeholder expectations.
The internal audit activity adds value and improves the organization's operations.
Resources for the internal audit activity are used efficiently and effectively.
 Appropriate mechanisms are established and used to follow up on management actions in response to audit
recommendations.
Post-engagement client surveys, lessons learned, self-assessments, and other continuous improvements are done.

At the internal audit engagement level, the engagement supervisor provides assurance that:
Appropriate processes have been used to translate audit plans into specific, appropriately resourced audit
engagements.
Planning, fieldwork, conduct, and reporting/communicating results demonstrate conformance to the IPPF.

For any internal assessment, where appropriate, the assessor(s) provide recommendations for improvement, corrective
action plans, and progress against completion.

Ongoing Monitoring
According to Standard 1311’s interpretation, ongoing monitoring is an integral part of the day-to-day supervision, review,
and measurement of the internal audit activity. Ongoing monitoring is part of routine policies, practices, processes, tools,
and information necessary for evaluating conformance to the IPPF. The focus of ongoing monitoring is at the engagement
level. It is achieved through continuous activities conducted on an engagement-by-engagement basis, including
engagement supervision, standardized work practices, workpaper procedures and sign-offs, report reviews, assessments
of areas of weakness, and any related action plans developed to address those weaknesses.

CAEs may review innovations and best practices to develop a number of ongoing monitoring tools for team use, including:
Pre-fieldwork audit engagement readiness assessments, including a pre-approved audit scope, clear staff
assignments, and budgeted staff hours.
Templates to ensure consistency between engagements.
Checklists or other automation tools for compliance areas.
Key performance indicators (KPIs) such as number of auditors, years of experience, professional development hours,
engagement timeliness, and stakeholder satisfaction.
Tools to promote efficiency and effectiveness, including budgets, timekeeping systems, audit plan completion status,
and monitoring and controlling using variance data.
Processes to collect and analyze feedback from internal audit clients and stakeholders regarding the efficiency and
effectiveness of internal audit teams.

Ongoing monitoring requires adequate supervision in all phases of the engagement, including during the planning,
performance, and communication phases. The audit supervisor sets clear expectations during planning and promotes
ongoing communications during performance with the supervisor and among team members. The responsible supervising
individual follows best practices for workpaper review procedures, including timely sign-off.

Exhibit 1-18 shows an example of how ongoing monitoring can use the Deming cycle (the Plan, Do, Check, Act model),
introduced earlier in the topic, to continually improve ongoing monitoring processes. (Note that the bullets are not a
comprehensive list.)
 Exhibit 1-18: Deming Cycle (PDCA) Applied to Ongoing Monitoring

Source: Quality Assessment Manual for the Internal Audit Activity. © 2017, IIA Foundation.
Consistent processes are needed for gathering, summarizing, and analyzing measurement data. Responsibility for
measuring and validating data should be established as for any other audit engagement. A continuous improvement
framework for ongoing monitoring like the one in Exhibit 1-18 helps the internal audit activity get to this desired level of
consistency and quality.

Periodic Self-Assessments
Periodic-self-assessments as part of a QAIP are conducted to evaluate conformance to the IPPF, according to the
interpretation of Standard 1311. These self-assessments are also the basis for self-assessments with independent
validation (SAIVs), as is discussed later. The scope of a periodic self-assessment includes evaluating the:
Quality and supervision of work performed.
Adequacy and appropriateness of internal audit policies and procedures.
Ways in which the internal audit activity adds value.
Achievement of KPIs.
Degree to which stakeholder expectations are met.

The focus of a periodic self-assessment needs to be on a holistic, comprehensive review of the Standards, the Code of
Ethics, and the internal audit activity. A holistic view also includes a focus on the quality of audit work and adherence to
internal audit methodology, identifying and implementing improvements, and monitoring and controlling the activity’s
efficiency and effectiveness.

A periodic self-assessment is typically led by a senior member of the internal audit activity who has extensive experience
with the IPPF and is a Certified Internal Auditor (CIA). Self-assessments can include persons who are on the internal audit
team or who are assigned elsewhere. This type of assessment is a good IPPF training tool for internal audit staff. The self-
assessment can also be done by a dedicated quality assurance team given sufficient knowledge of the IPPF and internal
audit practices.

Exhibit 1-19 shows elements that could be included in a periodic self-assessment process, including some optional
components.
 Exhibit 1-19: Self-Assessment Process

Frequency of Internal Assessments

Key Point
Internal assessments need to be performed once every five years at a minimum. However, a best practice (not
mandatory) for successful internal audit practice is for periodic self-assessments to be performed at least annually,
especially if the IPPF changes or there are significant organizational changes.

Larger organizations may conduct periodic internal assessments annually, while smaller or less mature internal audit
activities may perform them less frequently (e.g., every two years).

Periodic internal assessments can be over a multi-year period, with each period’s results reported separately.

QAIP External Assessments (Standard 1312)

According to The IIA

Attribute Standard 1312,“External Assessments”
External assessments must be conducted at least once every five years by a qualified, independent assessor or
assessment team from outside the organization. The chief audit executive must discuss with the board:
The form and frequency of external assessment.
The qualifications and independence of the external assessor or assessment team, including any potential conflict
of interest.

The form of an external quality assessment (EQA), also called just an external assessment, can be one of two types:
Full external assessment
Self-assessment with independent external validation (SAIV)

Both types require involvement of a qualified, independent assessor or team from outside the organization. In the former
type, assessor(s) do the assessment and provide an opinion. In the latter type, the assessor(s) validate the internal audit
activity’s periodic self-assessment.
Full External Assessment
Exhibit 1-20 reviews the scope of a full external assessment and methods often used to evaluate each component. The
only mandatory element of a full external assessment is the first component listed.

Exhibit 1-20: Full External Assessment Scope and Methods of Assessment

Component Method of Assessment

Level of conformance Review internal audit activity’s charter, plans, policies,

with mandatory procedures, and practices for conformance with the Standards
elements of IPPF and Code of Ethics, and if applicable, legislative and regulatory
requirement compliance.
Efficiency and Assess internal audit activity’s processes and infrastructure,
effectiveness of including the QAIP. Evaluate internal audit staff’s knowledge,
internal audit activity experience, and expertise.
Expectations and Interview the board, senior management, and operations
value management.

Self-Assessment with Independent External Validation (SAIV)

The internal audit activity typically conducts a self-assessment and then submits the work for validation by an independent
external assessor. The scope of an SAIV usually includes a comprehensive and fully documented process that emulates
the full external assessment process. The process must include an evaluation of the internal audit activity’s conformance
to the IPPF. The qualified, independent external assessor must conduct the validation on site. The external assessor
verifies that the evidence from the self-assessment is adequate to support conformance with the Standards, thus providing
independent assurance without bias. Because the external assessor is not mapping out the full assessment and finding
evidence for each element, this may free up additional scope for a limited amount of attention given to:
Benchmarking.
Review, consultation, and employment of leading practices.
Interviews with senior and operations management.

Comparison of Full External Assessment and SAIV

Key differences between full external assessments and SAIVs include the following.
The direct cost will be lower for an SAIV than for a full external assessment. SAIVs may be able to be linked more
closely to ongoing monitoring, which can be leveraged to further reduce costs.
SAIVs enable full external assessments to be less frequent.
SAIVs provide an opportunity for staff development but require more intensive internal resource commitments than full
external assessments.
Internal portions of the SAIV are not independent and objective.
SAIVs may give the external person(s) doing the independent validation less opportunity to do a comprehensive
overview of the internal audit activity than full external assessments.

Occurrence, Frequency, and Type of External Assessments

Key Point
External assessments are an area of conformance to the IPPF that is not under the direct control of the CAE and the
internal audit activity. The board and management need to approve a budget for this type of assessment. This is
significant because if the organization decides not to invest in an external assessment, the internal audit activity will not
be able to indicate that it conforms to the IPPF.
The CAE must discuss the frequency and type of external assessments with senior management and the board. Difficulty
getting senior management and the board to approve external assessments can arise in any organization. The CAE works
to sell the benefits of these programs to the board and management, such as by highlighting the ability to improve the
internal audit activity and add organizational value. Agreeing to set the frequency and type of external assessments so as
to stay within budget constraints can also help.

In addition to cost, the CAE considers the following.

Small internal audit activities that have recently undergone a full external assessment may find an SAIV useful.

Frequency may need to account for the size and maturity of the internal audit activity, with smaller or less mature
activities leaning toward the minimum frequency of once every five years. The CAE may discuss increasing the
frequency given:
Changes in CAE or management leadership.
Significant changes in internal audit policies or procedures.
Mergers of two or more internal audit activities into a single unit.
Significant staff turnover.
Industry-specific or environmental issues.

Independent Assessor/Team Qualifications and Competence

The CAE must discuss with the board the qualifications of external assessor(s). Preferred qualifications for external
assessors include that they:
Are CIAs with knowledge of leading internal audit practices.
Have sufficient and recent management-level experience.
Have experience with external assessments.
Have completed The IIA’s quality assessment training course.
Have CAE experience.
Possess relevant technical and/or industry expertise.

While the team overall needs to have a full set of competencies, there is no need to require each individual to have all
required skills. For example, only the team leader may need to be an experienced and professional project team leader.
Also, if team size permits, specialists in risk management can provide assistance.

In addition to discussing with the board the necessary qualifications of external assessor(s), the interpretation to Standard
1312 indicates that the CAE uses professional judgment when assessing whether an assessor or assessment team
demonstrates sufficient competence to be qualified. Competence is assessed in two areas:
Professional practice of internal auditing
External assessment process

This competence can be a mix of theory and experience, but the relevance of that experience matters. Experience with
organizations of similar size, complexity, or industry carries more weight than with dissimilar organizations, as does
experience with similar technical issues.

Independent Assessor/Team Independence and Objectivity

The CAE must discuss with the board the independence of the external assessor(s), including any potential conflict of
interest. The CAE encourages board oversight in these areas. Prerequisites for these assessments include that the CAE
understands:
The organization’s procurement policies.
 Independence requirements.
Situations that may impair independence or objectivity or create a conflict of interest.

Independence, objectivity, and lack of a conflict of interest require not being a part of or under the control of the
organization to which the internal audit activity belongs. Assessors should have neither an actual nor a perceived conflict
of interest. Potential impairments include a past, present, or future relationship with the organization, its personnel, or its
internal audit activity. This could include external audits of financial statements, assistance to the internal audit activity,
personal relationships, or consulting.

Assessor(s) who would not be considered independent include:

Individuals from another department at the organization or from a parent, affiliate, or other related organization.
Public sector auditors who report to the same CAE even if they work for different entities.
Assessor(s) operating reciprocal peer assessments between two organizations.

A reciprocal peer assessment is a teaming arrangement in which the internal audit activity for one organization agrees to
perform the full external assessment or validation for an SAIV for another organization in exchange for that organization
providing a similar service. When such arrangements are bilateral, this is not considered independent. However, a round
robin of three or more organizations can create independence, as shown in Exhibit 1-21.

Exhibit 1-21: Reciprocal Peer Assessment Teaming of Three or More Organizations

Demonstrating QAIP Conformance to Standards 1300, 1310, 1311, and 1312

Demonstrating conformance to Standards 1300, 1310, 1311, and 1312 includes use of relevant board presentations and
minutes or documentation of improvement actions taken. In addition, conformance to individual standards includes (but is
not limited to) the following types of documentation or evidence:
Standard 1300: QAIP documents and internal and external assessment results
Standard 1310: Documentation related to Standards 1311 and 1312, benchmarking reports, and requests for services
Standard 1311: Evidence of ongoing monitoring activities (KPI and workpaper reviews), documentation of completed
self-assessments, QAIP results (e.g., action plans), completed checklists, survey results, and internal audit efficiency
and effectiveness KPIs (e.g., budget to actual engagement hours)
Standard 1312: External assessor’s report, including degree of conformance, recommendations, benchmarking
reports, and requests for services (e.g., due diligence documentation from vetting external assessors)

Internal Audit Effectiveness and Efficiency

Organizations that use internal auditing effectively are better able to identify business risks and process and system
inefficiencies, take appropriate corrective action, and ultimately support continuous improvement. To maintain and
enhance the internal audit activity’s credibility, however, its effectiveness and efficiency should be monitored.

Measuring the effectiveness and efficiency of the internal audit activity or of individual assurance and consulting
engagements involves measuring the quality of and the degree to which internal audit objectives are achieved.
Effectiveness involves aligning with objectives or doing the right things; efficiency involves avoiding unnecessary work or
doing the things right.

Exhibit 1-22 shows an internal audit activity effectiveness and efficiency performance measurement process from The IIA’s
Practice Guide “Measuring Internal Audit Effectiveness and Efficiency.”

Exhibit 1-22: Internal Audit Efficiency and Effectiveness Measurement

Process

1. Define internal audit effectiveness.

Review relevant IPPF guidance, including the Standards.
Review the strategic plans of the internal audit activity and
organization.
Review the board, audit committee, and internal audit activity
charters.
Assess basic, expected, and targeted/preferred internal audit
activity deliverables.
Formulate an initial definition of internal audit effectiveness and
efficiency.
Define agreement from key stakeholders of the definition of
effectiveness and efficiency.
2. Identify key internal and external stakeholders.
Determine key internal and external stakeholders for the activity and
organization.
Determine who directly or indirectly relies upon the internal audit
activity’s work.
Determine who benefits, directly or indirectly, from the internal audit
activity’s work.
Consider who supports the internal audit activity.
3. Develop measurements of internal audit effectiveness.
Understand key stakeholders’ expectations of the internal audit
activity.
Understand what internal audit attributes, deliverables, and
capabilities key stakeholders value and related shortcomings or
advancements in these areas.
Develop measurement tools such as a balanced scorecard to
document relevant attributes of effectiveness and efficiency and
related performance against these.
Agree upon effectiveness and efficiency metrics with key
stakeholders.
4. Monitor and report results.
Establish an agreed-upon format and frequency for reporting that
considers the organization’s size, nature, and governance structure.
Establish a periodic review of such monitoring and reporting to
ensure relevance, efficiency, and effectiveness.
Use the results of reporting to shape and guide internal audit
activities.
Align internal audit activities to the defined measures of internal
audit effectiveness and efficiency.

Here are some examples of KPIs for measuring internal audit activity effectiveness and efficiency:
Level of contribution to the improvement of governance, risk management, and control processes
Achievement of key goals and objectives
Evaluation of progress against audit activity plan
Improvement in staff productivity
 Increase in efficiency of the audit process
Increase in number of action plans for process improvements
Adequacy of engagement planning and supervision
Effectiveness in meeting stakeholders’ needs
Results of quality assurance assessments and internal audit activity’s quality improvement programs
Effectiveness in conducting the audit
Clarity of communications with the audit client (i.e., the “auditee”) and the board

Balanced Scorecard Approach

A balanced scorecard approach can be used to develop specific KPIs. A balanced scorecard examines performance
from four different perspectives: financial, customer satisfaction, business processes required to accomplish the activity’s
mission, and learning and growth to ensure continuous improvement. Exhibit 1-23 lists sample KPIs from these
perspectives and Exhibit 1-24 shows how the perspectives themselves can be customized. Both are just illustrative
examples. The center of each graphic lists examples of sources for internal audit activity objectives and criteria. The KPIs
need to trace back to and align with these objectives.

Exhibit 1-23: Aligning KPIs to Stakeholder Expectations with Balanced Scorecard

Exhibit 1-24: QAIP Performance Measurements in Custom Balanced Scorecard

 Source: Adapted from A Balanced Scorecard Framework for Internal Auditing Departments by Mark L. Frigo.

Topic 2: Reporting QAIP Results

This topic discusses the mandate for the CAE to report QAIP results to senior management and the board. The topic also
discusses assessment scales showing degree of conformance.

According to The IIA

In addition to reviewing the contents of this topic, students can review the following IIA materials:
Implementation Guidance for Standard 1320
Practice Guide, “Quality Assurance and Improvement Program”

Communicating QAIP Results

According to The IIA

Attribute Standard 1320, “Reporting on the Quality Assurance and Improvement Program”
The chief audit executive must communicate the results of the quality assurance and improvement program to senior
management and the board. Disclosure should include:
The scope and frequency of both the internal and external assessments.
The qualifications and independence of the assessor(s) or assessment team, including potential conflicts of
interest.
Conclusions of assessors.
Corrective action plans.

Let’s break down this standard’s interpretation (shown in italics) and implementation guidance or other IIA guidance (the
sub-bullets):

The form, content, and frequency of communicating the results of the quality assurance and improvement program is
established through discussions with senior management and the board.
Typically, the CAE meets regularly with senior management and the board to understand and agree upon the
expectations for communications.
The CAE reviews the internal audit charter and policies and procedures manual for QAIP responsibilities prior to
these discussions.
The CAE needs to be aware of all internal assessments and any completed external assessments.

The results of external and periodic internal assessments are communicated upon completion..., and the results of
ongoing monitoring are communicated at least annually.
To determine the frequency of reporting the results of ongoing monitoring, survey key stakeholders to determine
their needs and expectations (which also helps define the criteria upon which the internal audit activity should be
measured).

Note that the CAE is responsible for communicating the results of the entire QAIP program. Demonstrating conformance
with Standard 1320 can take the form of relevant board meeting and senior management meeting minutes.

As part of reporting to the board the results of periodic internal assessments, the CAE typically confirms that internal
assessor(s) have “sufficient knowledge” of internal audit practices per Standard 1311. After the board and senior
management have received the results of an external assessment, the CAE typically confirms qualifications and
independence of the external assessor or external assessment team per Standard 1312. Any actual, potential, or
perceived conflicts of interest should be reported to senior management and the board.
Conclusions of Assessors
Internal and external QAIP assessment reports include an evaluation of the internal audit activity’s overall degree of
conformance with the Standards and the Code of Ethics, but such reports can also include an assessment for each
standard or standard series.

For internal assessments, to reinforce the independence and objectivity of the internal assessment team, the team and the
CAE should agree on the reporting medium and format at the start of the assessment. The CAE may share the results of
internal assessments, necessary action plans, and their successful implementation with senior management and the
board.

Providers of QAIP external assessments express an opinion on the entire spectrum of the assurance and consulting work
the internal audit activity has or should have performed. Any type of external assessment must conclude as to
conformance with the IPPF. The degree of conformance, as addressed below, is part of the assessment. Optionally, the
assessor may also provide operational or strategic comments, such as how management can be improved or how the
internal audit activity can add more value to the organization.

For external assessments, a draft report is prepared either before or after the closing conference. External team members
may provide comments for potential inclusion by the full external assessment team leader. After this, the draft is sent to
the CAE, who is asked to respond to the recommendations and provide an action plan to address deficiencies or
opportunities. The CAE may also make comments on observations and recommendations. The final report, plus CAE
comments or action plans, is typically addressed to the CAE with the expectation that copies will be distributed to:
The board (typically its audit committee). This is mandatory.
Senior management to whom the CAE reports.
Any parties who initiated the full external assessment.

In contrast, the conclusions of an SAIV are reported to the CAE, who reports to the board.

Assessment Scales
As interpretation to Standard 1320 states, the results include the assessor’s or assessment team’s evaluation with respect
to the degree of conformance. While a QAIP report should include a rating scale to assess the degree of conformance to
the Standards, there is no requirement to use a particular scale or model. Exhibit 1-25 compares two assessment scales
from The IIA, the left one from the Quality Assessment Manual for the Internal Audit Activity and the right one from “The
Path to Quality—Maturity Model for Implementing a QA&IP.”
 Exhibit 1-25: Comparison of Two Conformance Assessment Scales

Since the exhibit provides some guidance regarding what each level means in the “Path to Quality” scale, let’s do the
same for the Quality Assessment Manual scale:

Generally conforms. This is the top rating in the scale. The internal audit activity has a charter and policies that align
to it. The activity’s processes, execution, and results are judged to be in conformance with the Standards and elements
of the Code of Ethics in all material aspects. This includes general conformity with the majority of individual standards
within the sections (Attribute and Performance) and categories (e.g., 1000s). Individual standards tested also
demonstrate conformity. Opportunities for improvement may be identified, but none are in areas related to the
acceptable implementation or application of the Standards or the Code of Ethics.

Partially conforms. There are deficiencies in internal audit activity practice that are judged to deviate from the
Standards or the Code of Ethics, but the activity can still perform its responsibilities. The internal audit activity is
making good-faith efforts at conformance but falls short of achieving some major objectives. There are significant areas
for improvement related to mandatory IPPF conformance or achieving objectives. Some deficiencies may be beyond
the control of the internal audit activity, and these may result in recommendations to senior management or the board
that they address these issues.

Does not conform. The internal audit activity is not aware of, or is not making good-faith efforts to conform with, or is
failing to achieve the objectives of the Standards and/or the Code of Ethics. Deficiencies in practice are judged to be so
significant that they seriously impair or preclude the activity from performing adequately in all or in significant areas of
its responsibilities.

Corrective Action Plans

It is the CAE’s responsibility to respond to recommendations from internal and external assessments and provide action
plans for remediation. Corrective action plans address areas of nonconformance with the Standards and other
opportunities for improvement. The CAE should document in writing a response/action plan and implementation timetable
for each recommendation from the final written report. The CAE may consider adding recommendations from external
assessments and any related action plans to the internal audit activity’s existing monitoring processes to ensure that
improvements become part of ongoing operations.
The CAE should communicate to senior management and the board any corrective action plans, either generally as part of
the internal audit activity’s monitoring progress or as part of the next QAIP report.

Topic 3: Conformance versus Nonconformance Disclosures

This topic discusses when it is appropriate to state that the internal audit activity “conforms with” the Standards versus
omitting such a statement due to nonconformance.

According to The IIA

In addition to reviewing the contents of this topic, students can review the following IIA materials:
Implementation Guidance for Standards 1321 and 1322
Practice Guide, “Quality Assurance and Improvement Program”

Use of IPPF Conformance Statement

According to The IIA

Attribute Standard 1321, “Use of ‘Conforms with the International Standards for the Professional Practice of Internal
Auditing’ ”
Indicating that the internal audit activity conforms with the International Standards for the Professional Practice of
Internal Auditing is appropriate only if supported by the results of the quality assurance and improvement program.

Let’s break down this standard’s interpretation (shown in italics) and implementation guidance or other IIA guidance (the
sub-bullets):

The internal audit activity conforms with the Code of Ethics and the Standards when it achieves the outcomes
described therein.
Proper use applies to written or verbal communications.
The CAE uses the conformance statement only if he or she understands the QAIP requirements and is familiar with
the QAIP results.
The CAE understands and periodically discusses the board's expectations regarding use of the conformance
statement.

All internal audit activities will have the results of internal assessments.
If an external assessment has occurred in the past five years but the internal audit activity has not satisfied its
internal assessment per the frequency as disclosed to the board, the CAE should consider whether it is still
operating in conformance and if it is appropriate to indicate conformance until validated by an internal assessment.

Internal audit activities in existence for at least five years will also have the results of external assessments.
If the internal audit activity has been in existence for less than five years, use the conformance statement only if a
periodic self-assessment supports this conclusion.
Do not use the conformance statement if the internal audit activity has been in existence for at least five years but
has not completed an external assessment.
Do not use the conformance statement if more than five years have passed since the last external assessment.

The CAE can continue to use the conformance statement until the next external assessment occurs. However, proper use
of a conformance statement requires stopping use if the current internal assessment or the most recent external
assessment does not indicate general conformance with the Standards and the Code of Ethics. The internal audit activity
cannot resume using the conformance statement until it has remediated the areas of nonconformance and has conducted
an external assessment that does show conformance.
Key Point
Note that the Standards are principles-based. Standards 1321 and 1322 address overall, systemic conformance or
nonconformance. In assessing conformance with the Standards, there may be situations where the internal audit activity
achieves only partial conformance with one or more standards. In such cases, the activity should consider the overall
conformance conclusion when determining its ability to use the conformance statement.

Disclosure of Nonconformance

According to The IIA

Attribute Standard 1322, “Disclosure of Nonconformance”
When nonconformance with the Code of Ethics or the Standards impacts the overall scope or operation of the internal
audit activity, the chief audit executive must disclose the nonconformance and the impact to senior management and
the board.

A disclosure of nonconformance is necessary whenever the CAE makes the conclusions as stated in Standard 1322:
Nonconformance not only exists but also impacts the overall scope or operation of the internal audit activity. The CAE also
discloses the impact of the nonconformance to senior management and the board. Prerequisites to making these
conclusions include the CAE understanding:
The mandatory elements of the IPPF.
How conformance deviations might affect the overall scope of the internal audit activity.
The expectations of the board and senior management regarding reporting nonconformance issues.

Nonconformance could be related to impairments of independence and objectivity, insufficient access that impairs audit
scope, and so on. The CAE would evaluate the nonconforming area to see if it impacts the overall scope or operation of
the internal audit activity. Part of this assessment involves determining the degree to which a nonconformance situation
may affect the activity’s ability to fulfill its professional responsibilities and/or the expectations of stakeholders. For
example, this could be whether the activity can provide reliable assurance on internal controls over financial reporting
(ICFR).

Demonstrating conformance with Standard 1322 requires maintaining documentation of the occurrence, nature, and
overall impact of any nonconformance with the Standards or the Code of Ethics, including any relevant board meeting
minutes, memos, emails, or external assessment results.
Section E: Governance, Risk Management, and Control
This section is designed to help you:
Describe the concept of organizational governance.
Recognize the impact of organizational culture on the overall control environment and individual engagement risks
and controls.
Interpret fundamental concepts of risk and the risk management process.
Describe globally accepted risk management frameworks appropriate to the organization, including the COSO
enterprise risk management (ERM) framework and ISO 31000, “Risk Management.”
Examine the effectiveness of risk management within processes and functions.
Recognize the appropriateness of the internal audit activity’s role in the organization’s risk management process.

According to The IIA

The IIA’s guidance referenced in the Challenge Exam Study Guide may be accessed using the links below. Access to
specific pages and documents varies for the public and The IIA members.
Attribute Standards: www.theiia.org/Attribute-standards
Performance Standards: www.theiia.org/Performance-standards
Standards and Guidance: www.theiia.org/Guidance
Position Papers: www.theiia.org/Position-papers
Implementation Guidance: www.theiia.org/Practiceadvisories
Practice Guides and GTAGs: www.theiia.org/Practiceguides

This section addresses the closely interconnected areas of governance, risk management, and control. (Internal control is
addressed at a high level only in this Challenge Exam Study Guide.) In addition to discussing each of these areas and
how they interrelate, topics also cover how culture impacts the control environment and how to address ethics- and
compliance-related issues.

Topic 1: Organizational Governance

This topic shows how governance fits within governance, risk management, and control (GRC), including an overview of
The IIA’s Three Lines Model. Governance and assessing the organization’s governance structure are covered from
general governance and IT governance perspectives.

According to The IIA

In addition to reviewing the contents of this topic, students can review the following IIA materials:
Implementation Guidance for Standards 2100 and 2110
Position Paper, “The IIA’s Three Lines Model: An Update of the Three Lines of Defense”
Global Technology Audit Guide (GTAG) 17, “Auditing IT Governance”
Practice Guide, “Auditing Culture”

Governance in GRC Context

According to The IIA

Performance Standard 2100, “Nature of Work”
The internal audit activity must evaluate and contribute to the improvement of the organization's governance, risk
management, and control processes using a systematic, disciplined, and risk-based approach. Internal audit credibility
and value are enhanced when auditors are proactive and their evaluations offer new insights and consider future
impact.

Conforming with Standard 2100 requires a thorough understanding of the concepts of governance, risk management, and
control (GRC). This understanding starts by knowing the IPPF definitions of these terms:

Governance. “The combination of processes and structures implemented by the board to inform, direct, manage, and
monitor the activities of the organization toward the achievement of its objectives.”

Risk management. “A process to identify, assess, manage, and control potential events or situations to provide
reasonable assurance regarding the achievement of the organization’s objectives.”

Control. “Any action taken by management, the board, or other parties to manage risk and increase the likelihood that
established objectives and goals will be achieved. Management plans, organizes, and directs the performance of
sufficient actions to provide reasonable assurance that objectives and goals will be achieved.”

Key Point
Standard 2100 notes that internal auditors must use a “systematic, disciplined, and risk-based approach.” This type of
approach is a differentiating attribute for internal auditing and is a key reason the discipline commands respect.
Consistency in approach is vital to ensuring that the internal audit activity is delivering the quality required by the
Standards.

Internal auditors seeking an understanding of GRC concepts should understand all of the GRC-related Standards: 2100,
2110, 2120, and 2130.

It is also important to learn about GRC frameworks and best practices and consider how they might need to be tailored to
the organization. Developing an understanding of the organization’s objectives, the business, and so on will help guide this
evaluation.

Relationship between Governance, Risk Management, and Control

Governance, risk management, and control are so interconnected that evaluating and improving one area typically
improves the other two areas at the same time. For example:
Effective governance activities consider risk when setting strategy.
Risk management relies on effective governance (e.g., “tone at the top”).
Effective governance relies on internal controls and related communication to the board.

Exhibit 1-26 shows how GRC can be thought of as existing in layers. Note that the back-and-forth arrows are feedback
loops (not one-way information flows).
The governance structure surrounds all activities to ensure that the organization’s values are promoted and key
stakeholder needs are considered.
Risk management highlights key risks to success or key opportunities.
Internal control is where the risk management strategies are executed.

Exhibit 1-26: Interrelationship of GRC Elements

 Source: Anderson et al., Internal Auditing: Assurance and Advisory Services, 4th edition.

Stakeholder Responsibilities for GRC

While the ultimate responsibility for governance is with the board, senior management and other stakeholders also play
important roles.

Board Responsibilities for GRC

Exhibit 1-27 shows how the board of directors functions like an overarching “umbrella” by providing two broad types of
governance to the organization:
Strategic direction
Governance oversight

Exhibit 1-27: Governance “Umbrella”

As shown at the top of the exhibit, board responsibilities for GRC start with identifying and understanding the needs of the
organization’s stakeholders in part because the board has a fiduciary responsibility to certain stakeholders. Stakeholder
interests need to be understood before they can be protected. This includes discovering what would constitute an
unacceptable outcome for each stakeholder in the areas of strategy, finance, compliance, and operations.

The board:
Takes the lead role in governance, including providing strategic direction and guidance toward setting business
objectives.
Provides governance oversight.
Establishes a governance committee.
Articulates requirements for reporting to the board.
Periodically reevaluates governance expectations.
Sets the risk appetite and risk tolerance levels.
Interacts directly with internal and external assurance providers.

Senior Management Responsibilities for GRC

The board provides direction to and empowers senior management to execute the organization’s strategy and governance
on a day-to-day basis. Senior management (chief executive officer and finance, ethics, risk, compliance, HR, and IT
executives) also provide direct leadership over risk management and control processes, but they delegate the specifics to
a risk committee and/or specific line managers who become risk owners.

To be effective, senior management needs to understand the limits to the scope of their authority and the board’s
governance expectations. This can take the form of determining:
Who should be the risk owner for key risks, where in the organization to manage specific risks to enable the most
efficient and effective responses, and how to manage those risks.
When to direct risk owners to have a lower risk tolerance than the general tolerance level (e.g., multiple significant
control deficiencies aggregate to an unacceptable level).
How to set reporting requirements (nature, format, timing) for risk owners to ensure sufficient information for senior
management’s reporting requirements to the board.
How to refine GRC expectations given business changes, changes in risk tolerance levels, and feedback on GRC
effectiveness.

Responsibilities of Other Stakeholders for GRC

A number of other stakeholders are directly or indirectly involved in GRC. Direct involvement starts with line management,
especially managers designated as risk owners. Risk owners have responsibilities such as:
Evaluating risk management design against risk tolerance.
Assessing risk management capabilities, maturity, and operations.
Monitoring risks on a daily basis.
Providing accurate and timely information and recommendations to senior management and the board.

Others directly involved in GRC include members of the supply chain: suppliers, employees, and customers. These
stakeholders take an active role in the business and would be impacted by business disruptions. Employees need a
livelihood. Customer and supplier obligations need to be fulfilled.

Owners, shareholders, and investors are not directly involved in the organization’s business, but they have a strong
interest in the organization’s success. Shareholders can strongly influence the board and help determine who is on the
board.

Regulatory agencies, creditors, and other outside parties may have an interest in the organization and may have
influence. Regulatory agencies are responsible for establishing the regulations. Creditors protect their capital by setting
stipulations (covenants).

Internal Audit’s Role in GRC

Internal auditors also play an indirect (assurance and consulting) role in GRC. The CAE may document in the internal
audit charter the internal audit activity’s independence by affirming that senior management and the board are responsible
and accountable for GRC. The CAE works to understand the business and key organizational roles related to GRC. This
can include using GRC frameworks as a guide (especially if adopted by senior management), reviewing board and
committee charters and meeting minutes, and reviewing the organization’s mission, vision, key objectives, strategic plan,
and key controls. The CAE:
Discusses with the board and senior management the best strategies for the internal audit activity to evaluate and
contribute to GRC.
Considers the maturity level of governance, risk management, and control processes.
Assesses risks to GRC (including the impact of culture and the seniority of risk owners).
Highlights areas of weakness.
Makes recommendations (including adoption of a particular GRC framework).

To demonstrate conformance to Standard 2100, the internal audit activity can refer to the roles and responsibilities related
to GRC as documented in the internal audit charter, audit plans, or minutes of relevant meetings. Audit plans in particular
may provide evidence that the internal audit activity follows a disciplined, systematic, and risk-based approach.
Engagement reports can also support that results are relevant and add value to GRC processes.
The IIA’s Three Lines Model helps clarify the internal audit activity’s role in GRC.

Three Lines Model

GRC requires a cohesive and coordinated approach to ensure that limited risk and control resources are deployed
effectively, significant risks are identified and managed appropriately, and risk ownership is clear to all. Disconnected risk
management efforts can otherwise lead to inefficiencies, coverage gaps, and risk ownership arguments.

The IIA’s position paper “The IIA’s Three Lines Model: An Update of the Three Lines of Defense,” helps clarify GRC roles
and responsibilities. Exhibit 1-28 shows the model.

Exhibit 1-28: Three Lines Model

Source: IIA Position Paper, “The IIA's Three Lines Model: An Update of the Three Lines of Defense,” © 2020, The IIA.

Key Point
Note that the word “defense” was dropped from the Three Lines Model to highlight that organizations don’t exist to
manage risk; they exist to achieve their objectives. Risk management therefore needs to both be proactive in helping
achieve those objectives and serve as a defense.

The Three Lines Model is a principles-based model intended to be adapted to the needs of any organization. Its six
principles are as follows:

1. Governance. Governance of an organization requires appropriate structures and processes that enable:
Accountability to stakeholders by the board through integrity, leadership, and transparency.
Actions by management to achieve objectives, manage risk, and use risk-based decision making and application of
resources.
Assurance and advice by an independent internal audit activity.

2. Governing body roles. The board establishes appropriate governance structures and ensures that organizational
objectives align with the prioritized interests of stakeholders. The governing body role is critical to the Three Lines
Model:
Accountable to stakeholders for oversight and engages with them for two-way, transparent communications on
objectives.
Nurtures an ethical and accountable control environment.
 Delegates responsibility and provides resources to management to achieve organizational objectives while
conforming to legal, regulatory, and ethical expectations.
Establishes appropriate committees, compliance oversight functions, and an independent, objective, and competent
internal audit activity.
Determines risk appetite and oversees GRC.

3. Management first and second line roles. Management is defined broadly to include both “front of house” as well as
“back office” activities (e.g., HR). Management has both first and second line roles. Positions may have blended roles
or specialize in one or the other role.
First line roles. First line roles deliver products and services to customers and are responsible for managing risk
through leadership, action, development of structures and processes, and resource allocation. They require
maintaining a continuous dialogue with the board, including reporting on objective achievement and risk. They
involve ensuring compliance with legal, regulatory, and ethical expectations.
Second line roles. Second line roles provide complementary expertise, support, monitoring, and challenge to first
line roles. They develop, implement, continuously improve, and report on the adequacy and effectiveness of risk
management and internal control at a process, systems, and entity level. Roles can be broad enterprise risk
management roles or they can be specialized, including compliance, ethics, internal control, IT security,
sustainability, and quality assurance.

4. Third line roles. The internal audit activity is the third line role because it is a systematic, disciplined, competent,
independent, and objective assurance and advice role for GRC. It remains primarily accountable to the board and
reports to it on GRC, achievement of objectives, continuous improvement, and disclosures of impairments.

5. Third line independence. Accountability to the board, unfettered access, freedom from bias and interference, and
independence from management responsibilities enable the internal audit activity to have objectivity, authority, and
credibility.

6. Creating and protecting value. All roles collectively create and protect value when they align with each other and with
the prioritized interests of stakeholders. Alignment requires communication, cooperation, and collaboration. This
ensures the reliability, coherence, and transparency of information needed for risk-based decision making.

The three lines need to be coordinated to ensure efficiency and effectiveness, but there is no one right way to do this.
However, there is a natural division of labor created by the differing risk roles:
The first line role has the risk owner role.
The second line role has the risk control and compliance role.
The third line role has the risk assurance role.

While having all three roles is a best practice, if internal audit takes on first or second line roles, the CAE should
communicate to the board and senior management the impact of this combination and recommend their separation when
appropriate, such as after the organization grows in size or complexity.

Other GRC stakeholders, including external auditors, regulators, and other external bodies, are not directly part of any of
the three lines. However, they play important roles in GRC. External assurance providers provide additional assurance to:
Satisfy legal and regulatory expectations that serve to protect the interests of stakeholders.
Satisfy requests by management and the governing body to complement internal sources of assurance.

External assurance providers are more effective in GRC when:

Their activities are carefully coordinated to avoid duplication of effort.
The internal audit activity addresses gaps in their coverage due to their specialized focus areas.
Governance

According to The IIA

Performance Standard 2110, “Governance”
The internal audit activity must assess and make appropriate recommendations to improve the organization’s
governance processes for:
Making strategic and operational decisions.
Overseeing risk management and control.
Promoting appropriate ethics and values within the organization.
Ensuring effective organizational performance management and accountability.
Communicating risk and control information to appropriate areas of the organization.
Coordinating the activities of, and communicating information among, the board, external and internal auditors,
other assurance providers, and management.

Governance is a board and senior management responsibility, not an internal audit activity responsibility. However, the
CAE and internal auditors need a clear understanding of the concept of governance and the characteristics of typical
governance processes. This includes:
Studying best practices and GRC framework principles.
Learning about how the organization applies GRC frameworks (if used) given their size, complexity, life cycle, maturity,
stakeholder structure, and legal requirements.
Noting the direction that the board is providing to management in terms of risk tolerance levels and reporting
expectations.

The CAE may interview key governance roles and review board and committee charters, meeting agendas, and minutes
to:
Gain insight into the role the board plays in the organization’s governance, especially regarding strategic and
operational decision making.
Understand organization-specific processes and assurance activities currently in place.
Learn about the board’s and senior management’s understanding and expectations of governance, the requirements of
Standard 2110, the nature of governance processes, and the internal audit activity’s role in governance.

Governance is a broad concept, and differences will exist (especially when considering governance in a global context,
which is also influenced by national culture). However, Exhibit 1-29 lists some commonly identified governance principles
considered to be effective.

Exhibit 1-29: Commonly Identified Governance Principles

Board Ensure that the board has correct/proper members, committee structure,
membership meeting protocols, sound and independent judgment about
organizational affairs, and periodically reaffirmed membership.
Board Ensure that board members have appropriate qualifications and
qualifications experience, clear understanding of governance roles, sound knowledge
of organizational operations, and independent/objective mindset.
Board Ensure that the board has sufficient authority, funding, and resources to
independence conduct independent inquiries.
Transparent Maintain an understanding by executive management and the board of
structure the organization’s operating structure, including structures that impede
transparency.
Measurable Articulate an organizational strategy against which the success of the
strategy overall enterprise and the contributions of individuals are measured.
Strategic Create an organizational structure that supports the enterprise in
structure achieving its strategy.
 Governing Establish a governing policy for the operation of key activities of the
policy organization.
Clear lines Set and enforce clear lines of responsibility and accountability in the
organization.
Effective Ensure effective interaction among the board, management, internal
interaction auditors, external auditors, and other assurance providers.
Management Secure appropriate oversight by management, including establishment
oversight and maintenance of a strong set of internal controls.
Compensation Ensure that compensation policies and procedures for senior
policies management and for others encourage appropriate behavior and are
consistent with the organization’s ethical values, objectives, strategy,
and control environment.
Control Communicate and reinforce an ethical culture, organizational values,
environment appropriate “tone at the top,” a nonretaliatory environment for employees
to raise concerns, and a way to monitor and investigate potential
conflicts of interest.
Internal audit Use internal auditors effectively, ensuring the adequacy of their
independence, resources, and scope of activities and the effectiveness
of operations.
Risk Clearly define and implement risk management policies, processes, and
management accountabilities at the board level and throughout the organization.
External audit Effectively use independent outside auditors, ensuring their
independence, adequate resources, and scope of activities.
Key Provide appropriate disclosure of key information, in a transparent
information manner, to stakeholders.
disclosure
Governance Disclose the organization’s governance processes, comparing those
disclosure processes with recognized national codes or best practices.
Conflicts of Ensure appropriate oversight of related-party transactions and conflict-
interest of-interest situations.

Source: Adapted from Anderson and Dahle, Applying the International Professional Practices Framework (IPPF), 4th edition.

Given a clear understanding of how the organization approaches governance, the CAE can contemplate whether the
current internal audit plan addresses governance processes and their associated risks, including whether the integration
requirements of the governance, risk management, and compliance functions are adequate. This may lead to
opportunities for the internal audit activity to improve its plans and approaches for conformance with Standard 2110.

Internal auditors can use the organization’s adopted governance framework as the basis of evaluation. Organizations may
take advantage of governance frameworks to help set their governance objectives. One example is the King Report.

King Report
The King Report on Corporate Governance is the output of South Africa’s King Committee on Corporate Governance. The
latest version is King IV (2016). The report is principles- and outcomes-based, focusing on transparency and disclosures
that require entities to explain how the principles are applied.

The report provides a model for good governance that requires an integrated approach inclusive of stakeholder interests
and a focus on corporate social responsibility.

A Code of Corporate Practices and Conduct is included in the report:

Discipline. Organizations commit to disciplined behavior that is universally accepted as proper and correct.
 Transparency. Organizations commit to make it easy for outsiders to analyze the organization’s activities.

Independence. Organizations are self-reliant and can manage or avoid conflict.

Accountability. Organizations develop ways to accept and acknowledge the positive and negative consequences of
their actions.

Responsibility. Organizations design corrective action into all processes and consider the needs of all stakeholders in
decision making.

Fairness. Organizations balance competing interests.

Social responsibility. Organizations embed corporate social responsibility programs into their core business model.

The King Report addresses the role and function of internal auditing as well as specific reporting requirements, for
example, the need for audit committees to approve all appointments and dismissals of the CAE.

The report emphasizes effective leadership based on an ethical foundation and the need to fundamentally redesign the
organization around sustainability. Innovation, fairness, and collaboration are described as key tools to achieve
sustainability. Internal auditors are also placed as central to maintaining proper governance and developing organizational
strategy. King III highlighted the imperative to use risk-based auditing, stating:

A compliance-based approach to internal audit adds little value to the governance of a company as it
merely assesses compliance with existing procedures and processes without an evaluation of whether or
not the procedure or process is an adequate control. A risk-based approach is more effective as it allows
internal audit to determine whether controls are effective in managing the risks which arise from the
strategic direction that a company, through its board, has decided to adopt.

It went on to recommend that internal auditors assess the general effectiveness of the system of internal controls, the
control environment, and risk management processes.

IT Governance

According to The IIA

Implementation Standard 2110.A2 (Assurance Engagements)
The internal audit activity must assess whether the information technology governance of the organization supports
the organization’s strategies and objectives.

According to Anderson et al. in Internal Auditing, IT governance is “the leadership, structure, and oversight processes that
ensure the organization’s IT supports the objectives and strategies of the organization.” IT governance is the subset of
organizational governance directly related to oversight of IT assets and IT risks.

Beginning with the end in mind, the primary outcomes of effective IT governance include the following:

IT strategies are aligned with organizational objectives.

The board and senior management understand the potential and limitations of IT.
IT senior management understands organizational objectives and needs.
An IT governance structure is used to apply and monitor this understanding.

Risks are identified and managed properly.

IT investments are optimized to deliver value.

 IT performance is defined, measured, and reported using meaningful metrics.

IT resources are managed effectively.

Key Point
Because IT is now embedded everywhere throughout most organizations, it is important to understand that it will be part
of most areas being audited. All three parts of the IIA CIA exam could have questions that take an IT perspective. IT-
related questions in Parts 1 and 2 of the exam will likely be conceptual rather than testing on specific IT details.

The alignment of organizational objectives and IT is more about governance and less about technology. Therefore, it is
important to take a strategic approach to implementing IT governance. A strategic approach includes:
Evaluating alternatives.
Ensuring that execution is directed toward objectives.
Monitoring risk and performance against financial and nonfinancial goals:
A key financial goal is to realize the organization’s strategy and provide competitive advantage. (A counterexample
is senior management thinking that IT exists solely to deliver day-to-day services and limiting goals to operational
cost savings.)
A key nonfinancial goal is to ensure a strong system of internal controls. Strong IT governance promotes good
control design; weak IT governance could be the root cause of ineffective and deficient controls.

IT governance is a shared responsibility of the board and senior management. That is, the board and senior management
“own” IT governance. The board is responsible for overall strategic IT guidance. Senior management carries out the day-
to-day direction of IT strategy execution. The board and senior management are responsible for establishing the
organization’s IT objectives in alignment with the overall business strategy, for defining IT strategies to achieve business
objectives, and for establishing:
IT governance policies.
Organizational structures that include IT roles and authorities.
IT processes.

Use of an IT governance framework can provide the organization with a foundation and mechanism for measuring IT’s
effectiveness at achieving planned outcomes.

IT Governance Framework
The IIA’s Global Technology Audit Guide (GTAG) 17, “Auditing IT Governance” provides a general IT governance
framework that focuses on the areas shown in Exhibit 1-30.

Exhibit 1-30: IT Governance Framework

Framework
Description
Area

Strategic IT governance provides the strategic direction for IT and ensures that IT
alignment and business strategies are aligned for all IT projects and services.
Risk IT governance can ensure that IT risks are addressed and that enterprise
management risk management includes risk aspects of IT investments, defined
responsibilities for risk management, and a holistic process for analyzing,
addressing, and continuously monitoring risks.
Value IT governance can drive the maximum value from IT by ensuring that
delivery financial value is measured not only in terms of overall return on
investment but also in terms of other strategic measures such as IT
tactical plan execution, systems uptime, degree of automation in the
 systems development life cycle, productivity, and revenue generation.
Performance IT governance can help in measurement of the achievement of strategic
measurement IT objectives, IT performance, and the delivery of promised business
functionality (and therefore contribution to profitability). Tools such as
continuous monitoring or root cause analysis support these
measurements.
Resource IT governance oversees the aggregate funding of IT at the enterprise
management level and ensures that there is (and will continue to be) adequate IT
capability and infrastructure at the organization.

An IT governance framework addresses the following components:

IT process areas. Change management, information security management, software development, IT project
management, etc.

IT mechanisms. Standards, policies, and frameworks for directing, monitoring, and measuring IT performance and
managing IT risks.

IT governance organizational structures. IT roles and reporting lines (see Exhibit 1-31) to meet organizational
objectives and formally evaluate and prioritize requirements.

Exhibit 1-31: Examples of IT Governance Organizational Structures

Governance
Members Scope
Body

IT governance Chief executive officer, chief financial Set business and IT strategy
board officer, and chief information officer, and investment plans.
plus CAE as nonvoting advisor on
risk/control
IT steering IT senior management and business Ensure IT strategic
committee unit owners alignment.
IT portfolio office IT and business program/project Develop IT project metrics,
managers monitor, and report.
IT architecture Chief information officer, chief Determine IT architecture
office information security officer (CISO), design.
chief operating officer, IT infrastructure
managers
Technology Chief information officer, chief Evaluate technology
council technology officer (CTO), and business opportunities.
unit owners
Cybersecurity Chief information officer, CTO, CISO, Evaluate risk and strategies
and data chief risk officer (CRO), chief financial to protect organization’s
protection officer, chief operating officer, business information assets.
council unit owners, and CAE as nonvoting
advisor on risks/controls

Role of Internal Audit in IT Governance

The internal audit activity must assess IT governance per Standard 2110.A2. The activity’s independence puts internal
auditing in a neutral position to influence IT governance and recommend change. Providing advice should not impede
independence if management takes full responsibility and accountability for implementation and operation of controls.

The internal audit activity may include IT governance in its risk universe. Risk-based audit planning can use a root cause
analysis framework such as the one shown in Exhibit 1-32 to evaluate potential IT weaknesses.
 Exhibit 1-32: IT Risk—Root Cause Analysis Framework

The model shows three layers of control:

Start at the technical configuration layer at the bottom (e.g., poor firewall configuration is identified).
Work backwards to potential root causes in IT processes (e.g., poor oversight).
Finish with potential root causes in IT governance (e.g., no firewall configuration training).

To ensure that here will be opportunities to provide advice, it is imperative that audits of IT governance include both
assurance and consulting engagements. Either type of engagement can focus on the organization’s implementation of IT
governance practices, which include clearly defined policies, roles, responsibilities, risk appetite alignment, effective
communication, “tone at the top,” management of IT value, and clear accountability. Here are some specific areas for
review:

IT strategic planning. There is a clear definition of IT’s mission and vision, and an IT strategic planning process with
major initiatives is in place.

IT tactical planning. Project and change management methodologies are used with related controls, clear definitions
of expected benefits, and clarity of scope definition.

IT delivery process. Operational controls, modification processes, and project management processes are functioning
as intended. Actual versus planned benefits are analyzed.

Application development methodology. A process such as the systems development life cycle is in place and is
used consistently.

Current portfolio administration. A process exists and is effective.

Overall IT efficiency and effectiveness. IT adds more value than it costs.

Management and Board Governance Audits

For internal auditors to contribute to the governance area, it is critical that they:
Define governance and the organization’s governance processes.
Determine what is in versus out of the internal audit scope due to the broad nature of governance.
Develop plans aligned with this understanding and start executing.

Usually, a single audit of governance overall is not attempted. Rather, the assessment of governance processes is likely to
be based on information obtained from numerous audit assignments over time. However, if an overall governance
assessment is appropriate, it should include review of:
 Results of audits of specific governance processes.
Results of audits not specifically focused on governance, such as strategic planning, risk management processes,
operational efficiency and effectiveness, internal controls over financial reporting (ICFR), IT risks, fraud risks, and
law/regulation compliance.
Results of management assessments (e.g., compliance assessments, quality audits, or control self-assessments).
Governance issues such as adverse events.

The CAE’s final audit plan uses a risk-based approach to identify higher-risk governance processes to potentially include
as assurance engagements. Consulting services may be preferred when known issues exist or the organization’s
governance process is immature. In other cases, continuous monitoring methods can be used, such as assigning internal
auditors to observe meetings of governance-related bodies and providing internal audit advice upon request on an
ongoing basis.

Using Standard 2110 as a Checklist for Potential Audit Coverage Areas

Internal audit coverage of governance can consider each of the bullets in Standard 2110 to be part of the risk universe for
potential audits of organizational governance:
Making strategic and operational decisions
Overseeing risk management and control
Promoting appropriate ethics and values within the organization
Ensuring effective organizational performance management and accountability
Communicating risk and control information to appropriate areas of the organization
Coordinating the activities of, and communicating information among, the board, external and internal auditors, other
assurance providers, and management

Making Strategic and Operational Decisions

Anderson et al. in Internal Auditing indicate that strategy “refers to how management plans to achieve the organization’s
objectives.” When assessing how strategic and operational decisions are made:
Start by understanding organizational objectives. This could include a review of strategy documents, mission and
vision statements, and so on.
Assess how strategic and operational decisions are discussed and implemented.
Assess whether established, consistent decision-making processes are used.

Audit techniques can include:

Review of past audit reports, board meeting minutes, the board policy manual, and related governance documents.
Interviews with department heads to provide perspective.

Overseeing Risk Management and Control

Assessing oversight of risk management and control functions can include:
Reviewing the process for conducting the annual risk assessment.
Reviewing minutes from risk strategy meetings.
Reviewing previously conducted risk assessments.
Interviewing key risk management persons: compliance, risk, and finance officers.
Benchmarking risk management and control processes against relevant sources such as competitors or industry
trends.
Assessing the level and type of support the internal audit activity provides to the organization’s risk management
program, including:
Robust and thorough analysis of risk management and internal control systems.
 Structure and discipline in the risk management program.
Organizational and divisional risk assessments.
Ongoing formal or informal oversight and input.

Promoting Appropriate Ethics and Values within the Organization

Audits can assess whether governance activities promote appropriate ethics and values within the organization. Document
reviews in this area can include:
Mission and value statements, the organization’s code of conduct, and related ethics and values objectives, programs,
and activities.
Hiring and training processes, anti-fraud and whistleblowing policies/hotlines, and the related investigation process.

In addition to document reviews, personnel can be interviewed or surveyed to determine their level of awareness of ethical
standards and values.

Ensuring Effective Organizational Performance Management and Accountability

To assess the effectiveness of organizational performance management and accountability processes, review:
The organization’s policies and processes related to staff compensation, objective setting, and performance evaluation.
Associated KPIs and incentive plans for appropriate design and execution to prevent or detect unacceptable behavior
or excessive risk taking and to promote strategic alignment.

Communicating Risk and Control Information to Appropriate Areas of the Organization

Assessments of how the area under review communicates risk and control information typically involve:
Determining the accuracy, completeness, and timeliness of risk and control information in internal reports, newsletters,
relevant memos and emails, and staff meeting minutes.
Using surveys and interviews to gauge how well employees understand their risk and control responsibilities and the
potential impact of failure to exercise those responsibilities.

A potential service the internal audit activity could offer in this area would be to provide education on risk and control
topics, especially if targeting identified deficiencies.

Coordinating the Activities of, and Communicating Among, the Board, External and Internal Auditors, Other
Assurance Providers, and Management
Assessments of activity coordination and communication among the board, external and internal auditors, other assurance
providers, and management include:
Identifying the meetings that include these parties and determining their frequency of occurrence.
Reviewing meeting minutes, work plans, and reports.
Attending such meetings as participants or observers.

Improvement Recommendations for Governance Processes

The CAE considers the ramifications of potential governance process observations and may communicate with the board
and senior management during all phases of the engagement (planning, evaluating, and reporting) as appropriate. Here
are some examples of recommendations that might be made:
Finding ways to improve the flow of information to the board (e.g., more relevant, complete, timely, accurate, and
forward-looking)
Avoiding subjectivity by objectively analyzing execution of past strategies
Assessing measurement processes and metrics for degree of alignment to strategy
Analyzing past ethics- or value-based code violations or trends
 Assessing post-merger integration plans and progress toward their execution

Demonstrating conformance to Standard 2110 can be made through multiple separate internal audit reports on individual
governance processes. Alternatively, an overall report on governance can be prepared that summarizes observations and
recommendations from relevant assurance and consulting engagements.

Topic 2: Culture, the Control Environment, and Engagements

This topic introduces the control environment and how to audit it. The impact of organizational culture on the control
environment and on individual engagement risks and controls is also addressed.

According to The IIA

In addition to reviewing the contents of this topic, students can review the following IIA materials:
Implementation Guidance for Standards 2100, 2110, and 2130
Practice Guide, “Auditing Culture”

Control Environment
The IPPF glossary defines the control environment as follows.

The attitude and actions of the board and management regarding the importance of control within the
organization. The control environment provides the discipline and structure for the achievement of the
primary objectives of the system of internal control. The control environment includes the following
elements:
Integrity and ethical values.
Management’s philosophy and operating style.
Organizational structure.
Assignment of authority and responsibility.
Human resource policies and practices.
Competence of personnel.

Much as the foundation of a house determines whether the structure will stand the test of time, the control environment is
the foundation for the system of internal controls. It sets the tone for how controls are perceived. A good foundation can
result in a control-conscious culture that applies rigor to control design and implementation; a poor foundation can have a
pervasive impact on the system of internal controls.

It is important to see how the control environment fits in the context of the entire system of internal controls. One way to
see this context is to study the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal
Control—Integrated Framework cube, shown in Exhibit 1-33.
 Exhibit 1-33: COSO Internal Control—Integrated Framework Cube

Source: Internal Control—Integrated Framework, COSO.

Key Point
The key point about this cube is that a system of internal controls requires a number of interconnected elements to
function effectively.

Note that this is just one of several internal control frameworks, and the internal audit activity needs to fully understand
and support whichever framework the organization has chosen to adopt.

The control environment forms a critical foundation for the other components of internal control that need to be integrated:
risk assessment, control activities, information and communication, and monitoring activities. The top of the cube shows
the three categories of objectives that an organization works to achieve using the system of internal controls: operations,
reporting, and compliance objectives. The final side of the cube shows the organization’s structure to reinforce that the
system of internal controls needs to be integrated into the organization at multiple layers that are more and more detailed.

Given this context, let’s explore each of the elements of the control environment listed in the control environment
definition.

Integrity and Ethical Values

COSO’s Internal Control—Integrated Framework has five principles related to the control environment. Each principle
contains points of focus, which are optional characteristics that management may decide to evaluate in terms of whether
or not they are present and functioning. The principle related to integrity and ethical values and its points of focus are as
follows:
The organization demonstrates a commitment to integrity and ethical values.
Sets the tone at the top.
Establishes standards of conduct.
Evaluates adherence to standards of conduct.
Addresses deviations in a timely manner.

(This and later quotations from the framework are copyrighted by COSO [© 2013] and are used with permission. Note that
the points of focus are helpful in organizing the content below; however, the guidance includes information from IIA
materials and other sources.)

Sets the “Tone at the Top”

The tone at the top is one of the most important elements of culture. For example, an attitude of ignoring the rules on the
part of those at the top tends to pervade to lower levels. People may either adopt the same attitude or leave the
organization, which results in fewer people remaining who show integrity. The tone at the top encompasses the following
concepts:
Top management and the board lead by example, considering stakeholder expectations.
The tone is shown through the actions and decisions of management, leadership and communication that is provided,
and responses to deviations.
The tone at the top is fundamental to the proper functioning of the internal control system.
The tone at the top is further expressed in the form of mission statements, value statements, codes of conduct,
principles, policies and practices, directives, and guidelines.
The operating style and the conduct of senior management and the board and the risk tolerances they set create an
atmosphere that subordinates pick up on—for good or for ill.
A consistent tone helps pull the organization together, while a poor or inconsistent tone creates unintended
consequences such as poor risk awareness, poor risk responses, poorly defined or ignored controls, or lack of
improvement given feedback.

The history and culture of an organization directly influence the control environment. Culture supports the control
environment when it creates behavioral expectations that reinforce commitment to ethics, integrity, oversight, and
performance evaluation.

Establishes Standards of Conduct

According to The IIA

Implementation Standard 2110.A1 (Assurance Engagements)
The internal audit activity must evaluate the design, implementation, and effectiveness of the organization’s ethics-
related objectives, programs, and activities.

Standards of conduct can include ethics programs, a written code of ethics, a written code of conduct, and related entity-
level policies and procedures. An organization could have a combined code of ethics and conduct.

A strong ethical culture is the foundation of good governance. An ethical culture is created through a robust ethics program
that sets expectations for acceptable behaviors in conducting business in the organization and with external parties. It
includes:
Effective board oversight.
Strong tone at the top and senior management involvement.
Organization-wide commitment.
A customized code of conduct.
Timely follow-up and investigation of reported incidents and consistent disciplinary action for offenders.
Ethics training and communications.
Ongoing monitoring systems.
An anonymous incident reporting system.

Ethics is everyone’s responsibility:

The board oversees the ethical climate and ensures that management has sound ethics-related objectives and
programs via assurance from internal auditing.
Senior management promotes and exemplifies an ethical tone at the top and creates explicit strategies to support and
enhance the ethical culture, including ethics training.
Line managers’ attitudes and behaviors create an ethical subculture for their areas.
 Outsourced service providers (e.g., customs clearance) can create reputation risks for unethical actions on the behalf
of the organization. Contracts should include things like anti-bribery and conflict-of-interest clauses.
There may be a chief ethics officer and/or designated person (ombudsman) for ethics advice.

A written code of ethics will likely include principles that the majority of boards or organizational managers would agree are
considered desirable in conducting business. The board and senior management will come to consensus on the set of
principles that are considered acceptable behavior at the organization. Note that due to the need for consensus, corporate
ethics will likely not match the personal ethics of all persons. Components of a written code of ethics may include
principles related to honesty, integrity, transparency, fair dealing, clear delegation, positive personnel practices, and so on.

A written code of conduct provides behavioral guidance and rules for staff (and outsourced service providers who have
been delegated responsibility for organizational processes) when taking actions or making decisions. The code clarifies
the expectations of the board and senior management as to what is considered right versus wrong. It provides guidance
on common gray areas or difficult decisions and highlights associated risks.

A code of conduct may address the following subjects:

Conflicts of interest
Confidentiality
Fair dealing
Proper use of organizational assets
Gifts and gratuities
Compliance with laws, rules, and regulations
Compliance with voluntary standards such as for corporate social responsibility
Reporting of illegal or unethical behavior

For example, a written statement about conflicts of interest should:

Generally define conflicts of interest.
Address the expected behavior for employees, other corporate agents, and suppliers.
Include provisions for activities, investments, or other interests that reflect on the entity’s integrity or reputation.

Policies and procedures for the control environment are determined by the board and are at the entity level. They form the
basis for more detailed policies and procedures at the division, operating unit, and business function levels. In addition to
stating requirements, a best practice is to provide the rationale for adherence, which could cite a related law or regulation
or key risks, such as to customer safety or company reputation.

Control environment policies and procedures include defined accountabilities for business functions with control
environment implications. This includes safeguarding of assets, product safety, and guidelines on developing
compensation systems in ways that minimize unintended consequences.

Evaluates Adherence to Standards of Conduct

One way to evaluate adherence to standards of conduct is to require staff to recertify annually that they understand,
accept, and adhere to the code. Best practices include teaching the standards of conduct to new employees using
quarterly or biannual training sessions.

Policies and procedures also need processes for evaluating compliance and addressing shortcomings. This includes
ensuring that:
There is a process for enforcing consequences.
Training or guidance occurs.
There is a process to seek and address root causes of the shortcomings.
 There is a process for keeping policies and procedures up to date given new laws, regulations, values, etc.

Addresses Deviations in a Timely Manner

Standards of conduct should contain a process for monitoring and enforcing the code, including how potential deviations
will be investigated and addressed and how disciplinary actions will be applied. Failure to enforce or being too slow in
enforcing consequences creates a control environment risk, because persons may see a lack of enforcement as a tone
from the top that these standards are not important and can be ignored.

Management’s Philosophy and Operating Style

COSO’s Internal Control—Integrated Framework does not have a principle related directly to management’s philosophy
and operating style. However, the prior discussion of the tone at the top and how management enforces standards of
conduct are just a few of the many examples in this topic of how the philosophy and operating style of management
impacts the control environment.

Organizational Structure
The principle in COSO’s Internal Control—Integrated Framework related to organizational structure and its point of focus
are as follows:
Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and
responsibilities in the pursuit of objectives.
Considers all structures of the entity.

Considers All Structures of the Entity

Organizations develop structures to accomplish their objectives, including:
Legal entity structures (e.g., partnerships, subsidiaries).
Organizational structures (e.g., hierarchical, matrix).
Geographic market structures (e.g., regional divisions).
Supply chain structures (e.g., outsourced processes and services).

Many of these types of structures are addressed in Part 3 of these materials. The main point in regard to the control
environment is that management needs to consider how such structures impact achievement of objectives, related risks,
and controls. For example, a structure may help keep authorities and responsibilities separate or concentrate too much
control in a given entity or individual. Structures can be reviewed for continued relevance, effectiveness, and efficiency.

Assignment of Authority and Responsibility

The Internal Control—Integrated Framework principles related to the assignment of authority and responsibility and their
points of focus are as follows:

The board of directors demonstrates independence from management and exercises oversight of the development and
performance of internal control.
Establishes oversight responsibilities.
Applies relevant expertise.
Operates independently.
Provides oversight for the system of internal control.

Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and
responsibilities in the pursuit of objectives.
Establishes reporting lines.
 Defines, assigns, and limits authorities and responsibilities.

Establishes Oversight Responsibilities

The board of directors establishes oversight responsibilities by creating oversight committees and processes that align
with the organization’s objectives.

Applies Relevant Expertise

Examples of the board applying relevant expertise include:
Exercising fiduciary responsibilities to shareholders/owners with due professional care (e.g., reviewing financial
statements and disclosures).
Delving into management’s plans and performance by asking probing questions and following up on corrective actions.

Operates Independently
Examples of how the board operates independently include setting expectations for and evaluating the conduct of the
CEO in regard to ethical values, integrity, and performance.

Provides Oversight for the System of Internal Control

Examples of how the board provides oversight for the system of internal control include:
Overseeing definition and application of the organization’s code of conduct.
Requiring assessments of board oversight effectiveness and continually improving.

Establishes Reporting Lines

Reporting lines are how managers in various organizational or other structures execute their assigned authorities and
responsibilities, including reporting information to higher levels. These lines should be documented and understood by the
relevant parties.

Defines, Assigns, and Limits Authorities and Responsibilities

The board retains some authority over significant decisions and delegates other areas of authority and responsibility to
management, who in turn do so with their subordinates. Limitations to authority include segregation of duties.

Human Resource Policies and Practices

The principle in COSO’s Internal Control—Integrated Framework related to HR policies and practices and its points of
focus are as follows:
The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with
objectives.
Establishes policies and practices.
Evaluates competence and addresses shortcomings.
Attracts, develops, and retains individuals.
Plans and prepares for succession.

Establishes Policies and Practices

HR policies and practices:
Establish the necessary level of competence for a given role.
Indicate the basis for requirements (e.g., legal compliance).
Specify the skills and conduct that will be required for achieving objectives and supporting internal control.
Establish specific accountabilities.
Evaluates Competence and Addresses Shortcomings
HR policies and practices form the basis for evaluating competence and addressing shortcomings. Role descriptions
provide guidance on the expected level of competence required to achieve the organization’s objectives. This starts with
the skills and conduct that are needed to ensure that the system of internal control is effective. For example:
Skills could include proficiency with the enterprise resources planning system an organization uses for its business
transactions and knowledge of the system's transaction authorization requirements.
Conduct could include consistently adhering to those authorization requirements.

Management evaluations may address knowledge, skills, experience, degree of judgment the role requires, and limitations
of authority. They may also assess whether the required level of competence is appropriate from a cost-benefit
perspective.

Attracts, Develops, and Retains Individuals

Management determines the appropriate number of individuals for each role and whether this is adequate to achieve
objectives and reduce internal control risks to an acceptable level. The processes for seeking out qualified candidates,
training or mentoring them, evaluating competence, and retaining personnel are also reviewed for quality and compliance.

Plans and Prepares for Succession

For roles or business functions considered essential for accomplishing the organization’s key objectives, management has
plans for replacing key persons or entities (e.g., a key supplier) or otherwise fulfilling those objectives in absence of the
individual or entity.

Competence of Personnel
The Internal Control—Integrated Framework principle related to competence of personnel and its points of focus are as
follows:
The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
Enforces accountability through structures, authorities, and responsibilities.
Establishes performance measures, incentives, and rewards.
Evaluates performance measures, incentives, and rewards for ongoing relevance.
Considers excessive pressures.
Evaluates performance and rewards or disciplines individuals.

Enforces Accountabilities Through Structures, Authorities, and Responsibilities

The board and management hold persons accountable for accomplishing objectives and fulfilling internal control
responsibilities by exercising their authority as authorized by the organizational structure, reporting lines, and defined
responsibilities. An escalation process to higher levels of authority exists to ensure that enforcement occurs and is
consistently applied.

Establishes Performance Measures, Incentives, and Rewards

Management promotes achievement of objectives and fulfilling of internal control responsibilities through use of cost-
effective performance measures, incentives, and rewards. Rewards and incentives are discussed more in Part 3 of these
materials.

Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance

These programs are assessed for cost-benefit and alignment to objectives.

Considers Excessive Pressures

Performance measures, incentives, and rewards may create excessive pressures on individuals or entities, creating a risk
of subversion of internal controls to achieve organizational objectives. Management makes necessary adjustments to
mitigate this risk.

Evaluates Performance and Rewards or Disciplines Individuals

Management evaluates performance against performance measures and adherence to standards of conduct and ensures
that appropriate rewards or discipline occur and are consistent.

Basis for Evaluating Ethics

Organizational standards of conduct are the basis for assessing adherence to organizational ethics and values. There are
stated values as well as operating values.

An important aspect of the effectiveness of codes of ethics or conduct is the degree to which these function as the basis
for the values of the organization and its people. Values are beliefs about right versus wrong that guide people’s and
organizations’ decisions and actions, especially in situations that require making tradeoffs between conflicting objectives.
Inherent in values is a set of priorities or criteria that help people determine which values are more important than others.
There are two types of values:
Stated values. These are ideal or written values, such as written codes of ethics and/or conduct.
Operating values. These are cultural values that guide actual organizational behavior.

If there is little difference between stated and operating values, then the codes of ethics and/or conduct may be
considered effective. However, if there is a disconnect between the two types of values, it will be difficult for staff to
determine what is “acceptable.” The operating values, even if dysfunctional, may become the status quo. For example, a
peer might say, “That’s the theory, but this is how it is really done,” or, “This is what you have to do around here if you want
to get ahead.”

Auditing the Control Environment

When auditing the control environment, the internal audit activity considers the risk of control environment failures as they
develop the annual audit plan and as they plan each individual engagement.

Key Point
If the effectiveness of the control environment is not considered in an audit engagement, there is a risk that the
assessment of the adequacy of controls will be incomplete or misleading.

Audits of the control environment:

Start with a risk assessment to help set audit scope, frequency, and rotation.
Take into account planning considerations as individual engagements are planned.
Require assessment criteria.
Require selection of tools and techniques to use.

Each of these areas is discussed more next.

Control Environment Risk Assessment and Audit Scope

A control environment risk assessment can use the elements from the IPPF definition of control environment as potential
audit scope areas. These elements are repeated below along with examples of situations that may influence the risk
assessment. (Note that these examples may apply to more than one of the control environment elements.)

Integrity and ethical values. Lack of code of conduct/ethics or inability to evaluate adherence; high fraud rate.
 Management’s philosophy and operating style. Frequent management override of controls; lack of consideration of
risk in management decision making.

Organizational structure. Ineffective board oversight or control environment monitoring; silos that promote
department objectives over organizational objectives.

Assignment of authority and responsibility. Unclear job descriptions; insufficient separation of duties.

HR policies and practices. Compensation and incentive structures that create a high risk of inappropriate behavior or
risk taking; poor or nonexistent background or reference checks; no whistleblower policy or hotline.

Competence of personnel. Key function turnover resulting in ineffective supervision; lack of key personnel
competence (e.g., favoritism to unqualified family or associates).

In addition to assessing the risks of failure of each of these elements individually, it is also important to consider the
interaction of the elements with one another.

Given risk assessments in each of these or other areas, the CAE selects the scope of the audit or series of audits. The
scope could encompass all elements, either for the organization as a whole or limited to a specific division or business
unit. Alternately, control environment elements could be assessed as part of the scope of other audits such as an audit of
a specific business process. For example, an audit of accounts payable (A/P) might add an audit step to determine how
familiar A/P staff are with expectations for ethical behavior.

The CAE also determines the frequency and rotation of control environment audits and how to integrate the results of
multiple audits while avoiding duplication of effort.

Planning Considerations and Assessment Criteria

Because control environment audits involve discussion of sensitive issues and often require interviews with board/audit
committee members and senior management, some special planning considerations apply, including but not limited to:
Considering staffing the audit with experienced persons to enhance credibility and recommendation acceptance.
Consulting legal counsel for some areas such as pending investigations.
Ensuring that the internal audit activity’s reporting structure as documented in the charter is sufficiently independent to
enable appropriate access and audit scope.
Considering how differences in national culture or national laws/regulations would impact how the engagement or its
recommendations would be received.

Another sensitive task for the CAE is to determine the criteria against which the control environment will be assessed. The
CAE should clearly articulate and communicate the audit scope and criteria to be used, which may help with getting buy-in
from the board and senior management. These criteria could be based on:
An organization’s rating system.
A defined internal control framework’s principles.
A maturity model.
An industry standard or other benchmarking subject.
Specific objectives provided by legal counsel.

In general, a best practice is to use an internal control framework the first time the control environment is audited at an
organization. This can help ensure that the criteria are well rounded and complete.

Tools and Techniques for Auditing the Control Environment

Auditing the control environment is an example of auditing “soft controls,” which means there will be subjectivity in the
assessments and direct evidence may be difficult to gather. Selecting tools and techniques may require thinking outside
the box. Examples include:

Using surveys to test the effectiveness of control environment elements such as ethics.

Using networking and discussions to evaluate if the actions of management align with their talk.

Leveraging internal auditors’ knowledge of the organization’s inner workings to provide corroboration on the
effectiveness of controls.

“Auditing by walking around” and being visible and observant, which can help:
Uncover intangible clues that prompt deeper assessments.
Reveal persons who are willing to provide opinions anonymously.

Assessing how management has reacted to past audits and recommendations.

Reviewing materials and experiences from internal auditor participation in committees, task forces, work groups, or
ethics and compliance program implementations.

Using data analytics to uncover anomalies.

Culture's Impact on Control Environment

The IIA’s Practice Guide “Auditing Culture” cites the definitions of culture and conduct from St-Onge et al. in Measuring
Conduct and Culture:
Culture represents the invisible belief systems, values, norms, and preferences of the individuals that form an
organization.
Conduct represents the tangible manifestation of culture through the actions, behaviors, and decisions of these
individuals.

Culture exists whether intentionally created or not at multiple levels:

National culture affects the desired objectives of an organizational culture. Researching the cultures of the various
countries where the organization’s business units are located and where they primarily do business is a best practice.
Organizational culture drives how the organization conducts business and executes its strategies.
Subcultures likely exist at different campuses, in different departments, etc.

Since internal auditors are part of the organization’s culture, it is difficult to be objective when evaluating culture. However,
due to the internal audit activity’s deliberate steps taken to be independent and objective, the activity is in the best position
of any of the three lines of defense to evaluate culture. The internal audit activity is also in a position to lead by example.
Internal auditors should be living and promoting organizational values (per Standard 2110).

Poor organizational culture may be the root cause of many control environment issues. A toxic culture can erode the
effectiveness of other control layers. Risk factors include:
Unreasonable deadlines or performance targets.
Incentives not aligned with values.
Employees with little or no risk training.
Organizational silos or other information impediments.
Mistrust toward auditors.
Dislike of controls or disregard of “inconvenient” laws or regulations.
Poor senior management accountability.
 Inability to accept evidence that disproves beliefs.
A belief that “this could never happen here.”
Failure to enforce standards of conduct.

Conversely, healthy organizational cultures have common characteristics:

Positive tone at the top. The board and senior management define, proactively model, and enforce accountability for
desired organizational values, including in their strategies.

Clear communication. Management sets explicit expectations in all communications, daily interactions, and meetings
with employees, customers, and third parties.

Open dialogue. Management listens to feedback or constructive criticism and has tools like ethics hotlines or open-
door policies to encourage dialogue.

Employee engagement. Objective-setting and strategy discussions are inclusive, such as by listening to personal
objectives and evaluating how they align to strategy.

Incentives aligned with core values. Compensation and incentives align with the organization’s core values and risk
appetite.

Assessments of Culture
An organization’s management and board are responsible for risk management related to culture and conduct. The
internal audit activity can aid management and the board with this task by providing targeted assessments of culture.
Assessments can review:
Root causes for both those areas with culture deficiencies and those deemed to be operating with best practices (to
benchmark culture impact).
Roles and responsibilities of the governance structure.
Programs for communicating values, strategies, and objectives.
Code of conduct, ethics, and sexual harassment training program effectiveness.
Incentives, hiring programs, disciplinary actions, escalation protocols, or treatment of whistleblowers.
Existing information sources for culture insights, such as employee survey data.

Audits of culture can take place in formal engagements, but ongoing monitoring can often be very effective. Ongoing
monitoring includes auditors being observers or participants in risk management meetings or quarterly financial results
meetings. If internal auditors are skilled at reading body language or “reading the room,” the reaction of people to things
like bad news or risk occurrences can be telling in regard to the culture.

Assessments of Ethical Climate

The internal audit activity can conduct an entity-wide review of ethics-related policies and processes. Such an evaluation
might consider using a maturity model. For each attribute to be tested, the board and/or senior management can choose
the desired level of maturity to use as a benchmark. Then the internal audit activity can determine the actual level through
testing.

When getting started, it is important to determine to whom the organization’s ethical principles and code-of-conduct rules
apply. Directors and employees are required to adhere to these principles and rules; suppliers, business partners,
contractors, and third-party service providers may also be required to abide by them.

Key areas for an ethical climate assessment to address include:

Whether ethical values are consistent among policy statements.
 Whether any policies lack ethics statements and, if so, whether they should be added.
Whether ethics statements are consistently expressed to enable staff to have a cohesive, easily understood picture of
expected behavior.
Whether statements are specific and concrete enough to be meaningful.

An entity-wide employee survey is a common tool for ethical climate assessments.

Culture and Engagements

When conducting an individual assurance or consulting engagement, the internal audit activity considers organizational
culture as a risk factor when setting audit scope. The risk is of a disconnect between stated and operating values for the
persons in the engagement area because these values, positive or negative, are inherent to how that work is getting done.

Self-assessment exercises, surveys, and questionnaires can be used to measure how well the key parties in the area
being audited (e.g., parties in joint ventures) understand organizational values, how well their own goals and objectives
align with those values, and the degree to which they see others in the organization living by those stated values.
Depending on the audience, questionnaires could:
Ask the board to trace their policies back to core values and identify any gaps.
Ask whether annual staff training programs on board policies and procedures occur in the audit area and ask for
descriptions of such programs.
Ask whether audit area staff are required to confirm their compliance with board policies and procedures at least
annually.

Internal auditors need to be aware that self-assessments, surveys, and questionnaires measure perceptions but that such
perceptions may or may not be accurate. Another consideration is that one way to get buy-in from the manager of the area
being audited and add value is to allow that person to add survey items related to culture issues they are interested in,
such as a sales manager asking sales staff about whether they feel undue pressure related to sales goals.

Audit programs can also be developed to test for each specific value in the written code of conduct. For example, an audit
program to assess “We value and respect all individuals” may focus primarily on HR policies and procedures and
observations of related behavior. If there is a second-line-of-defense compliance function for a particular value (e.g., health
and safety), the internal audit activity will still need to evaluate the effectiveness of those programs.

Topic 3: Risk and Risk Management

This topic introduces the subject of risk and the GRC process of risk management from the perspective of the
organization’s efforts in this area. It also addresses risk-based audit planning.

According to The IIA

In addition to reviewing the contents of this topic, students can review the following IIA materials:
Implementation Guidance for Standard 2120
Practice Guide, “Assessing the Risk Management Process”

Risk Concepts
The IPPF glossary defines risk as follows:

The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is
measured in terms of impact and likelihood.

A key element of risk is the notion that it always involves uncertainty. Both positive and negative events can be uncertain.
Negative risks are sometimes called threats; positive risks are sometimes called opportunities. Anderson et al. in Internal
Auditing define an opportunity as “an action or potential action that creates or alters goals or approaches for creating,
preserving, or realizing value.”

Here are some fundamental concepts of risk:

Achieving strategic and operational objectives and succeeding in business requires putting the organization’s assets
and resources at some degree of risk.
Risks taken should be commensurate with the potential reward.
Risks are not single-point estimates. Rather, there will be a range of possible outcomes associated with a risk, such as
from worst case to most likely to best case.
Risk management should reduce the likelihood of negative events and increase the likelihood of positive events.

An event, also called an issue, is the occurrence or realization of a risk (threat or opportunity).

Note that an organization may adopt its own risk terminology, and it is the internal auditor’s responsibility to learn such
organization-specific terms and their definitions.

Risk Appetite
The IPPF glossary defines risk appetite as “the level of risk that the organization is willing to accept.” Some related terms
defined by Anderson et al. in Internal Auditing follow:

Tolerance. “The boundaries of acceptable outcomes related to achieving business objectives.”

Inherent risk. “The combination of internal and external risk factors in their pure, uncontrolled state, or the gross risk
that exists assuming there are no internal controls in place.”

Controllable risk. “The portion of inherent risk that management can reduce through day-to-day operations and
management activities.”

Residual risk. “The portion of inherent risk that remains after management executes its risk responses (sometimes
referred to as net risk).” Note that responses include application of internal controls or other risk management
measures.

Exhibit 1-34 presents a conceptual-level view of how the risk assessment process works to address inherent risk to
objectives but still results in some level of residual risk.

Exhibit 1-34: Conceptual View of Risk Assessment Process

Source: Adapted from “Enterprise Risk Management: What’s New? What’s Next” seminar, The Institute of Internal Auditors.

Here are additional considerations related to risk appetite:

The purpose of setting a risk appetite is to limit risks to organizational objectives to an acceptable level. This is done by
comparing the cost to the benefits of control.
 Because the future is uncertain, there is no way to completely eliminate risk. (Some amount of residual risk will
remain.)
Risk appetite helps the board and management prioritize potential strategies and resource allocations.
Risk appetite can be defined at a high level and at increasing levels of detail.
Risk appetite can differ between business units or products (with higher risk being acceptable for areas with higher
potential for reward).
Risk appetite can change based on changes in the external environment.

Internal auditors can learn about the organization’s risk appetite by reviewing the organization’s risk management policies
and discussing the organization’s risk management philosophy with the board, senior management, or risk management
officers. The chief financial officer and external auditors can also help define financial reporting risk appetite. (Typically this
is highly risk-averse.)

Enterprise Risk Management (ERM)

The IPPF glossary defines risk management as “a process to identify, assess, manage, and control potential events or
situations to provide reasonable assurance regarding the achievement of the organization’s objectives.” COSO’s
Enterprise Risk Management: Integrating with Strategy and Performance defines enterprise risk management (ERM) as:

The culture, capabilities, and practices, integrated with strategy-setting and performance, that
organizations rely on to manage risk in creating, preserving, and realizing value. It does not refer to a
function, group, or department within an entity.

Every organization exists to deliver value to its stakeholders.

Value is created when the benefits from resource investments exceed the cost of those resources. (The opposite would
mean that value is being eroded.)
Value is preserved when resources deployed in daily operations sustain the things creating the benefits, such as
maintaining customer loyalty.

ERM exists to help organizations understand the nature of the risks they are facing, determine the amount of risk they are
willing and able to accept, and proactively respond to risks to:
Create and preserve value (and realize it by delivering actual benefits to stakeholders).
Achieve organizational objectives.
Improve deployment of resources using a risk-based approach.
Reduce volatility and improve stability (a key objective of shareholders and lenders).

Key Point
ERM is likely to be effective in creating value when the organization’s ERM capabilities are aligned with each other and
are fully integrated into operations. Managers should not just manage their own risks within their own organizational
“silos.” Integration is a sign of ERM maturity that helps prioritize tradeoffs and improves timeliness.

The organization’s mission, vision, and values need to drive the strategy, business objectives, and performance objectives
to result in value. Enterprise risk management:
Validates that the strategy and objectives align with the mission, vision, and values.
Projects the results and implications of the chosen strategy.
Enumerates and evaluates the risks to the strategy and performance.

Risk Governance and Other ERM Roles

The organization’s governance functions (the board and senior management) are responsible for supporting and
championing the use of ERM. This function also creates demand for relevant, reliable, and timely risk analysis and
reporting. The board is responsible for ensuring that risks are managed and that there is an adequate ERM system in use.
The board may establish a risk committee, or the audit committee may have this responsibility.

In practice, the board will delegate the operation of the ERM framework to management. Senior management may, in turn,
create specialized risk management roles and add ERM to the scope of duties of other roles, such as:
Chief risk officer.
Financial executives.
Line managers and employees. (Risk management is everyone’s responsibility.)
Internal auditors.
Independent outside auditors.
External stakeholders, including customers, creditors, financial analysts, suppliers, and outsourced service providers.

Key Point
Management owns ERM, not internal auditing, but the internal audit activity is important in monitoring and
recommending improvements in the organization’s ERM practices.

A key need and opportunity for adding value for the internal audit activity is to assess ERM practices and recommend
improvements. Internal auditors also may provide other services such as:
Educating the board and senior management on the importance or methods of ERM.
Facilitating risk management training sessions.
Promoting risk language and use of the organization’s framework in internal audit activity work.

Risk Culture
Effective risk management depends on the organization having a culture that is open to the discussion of positive and
negative risks. For ERM to function properly, persons at all organizational levels need to be able to raise or escalate risk
issues without fear of retaliation. This enables:
The ERM process to be transparent.
A high level of organizational risk awareness.

A culture that is not ready for ERM can undermine the hard work of persons performing risk analysis and reporting even
when policies and procedures are in place to ensure that ERM occurs. For example, if the results of a risk analysis are not
discussed or incorporated into decisions, then the process will be ineffective.

While culture shifts are difficult and time-consuming, some steps to start transforming a culture to better leverage ERM
might include periodic forums for discussing risk or creating clear risk management roles and responsibilities in the
organization. Consulting engagements may be the best way to work to improve risk culture.

ERM Process Overview

A generic ERM process consists of identifying and categorizing risks, evaluating their impact and likelihood and doing
other forms of analysis and prioritization, selecting and implementing risk responses in a timely fashion (possibly including
planning for specific scenarios), and communicating and reporting on risks and responses.

ERM needs to be an ongoing process. New risks continually arise and their risk ratings change, so a best practice is to
match risk assessment frequency to the velocity of risk profile changes. Methods to continually acquire new risk
information include:
Management call programs.
 Quarterly risk committee involvement.
Specific risk topic discussions at each audit committee or board meeting.
Automated tools to capture and understand risk indicators.

Steps in the ERM process are discussed more next.

Risk Identification and Categorization

An organization identifies and categorizes the risks it encounters to ensure that important risks are captured. Risks in the
same category could also potentially be addressed by creating a response that addresses several related risks. A common
approach for risk identification and categorization is to have a brainstorming session to identify as many risks as
possible and then place the identified risks into categories. A good place to start is to use a generic risk model, such as the
one from Internal Auditing by Anderson et al., as shown in Exhibit 1-35.

Exhibit 1-35: Generic Risk Model

Strategic Risks Compliance Risks Reporting Risks

External: External: External:
Changes in laws and Contractual Accounting and financial
regulations Regulatory reporting
Competition Litigation Taxation
Change in markets Permits Internal:
Industry Internal: Budgeting
Technology Ethics Performance measures
Internal: Policies Internal control and
Reputation Fraud and illegal acts regulatory reporting
Strategic Information Resources
Satisfied customers
Access
Governance
Availability
Data integrity
Infrastructure
Privacy
Operation Risks
Process: People: Financial:
Supply chain capacity Labor supply Interest rates
Process execution Leadership, key Foreign exchange rates
Health and safety employees Capacity
Business continuity Incentives Default
Cycle time Empowerment Concentration
Catastrophic events Change readiness Capital availability
Lack of product Communications Cash management
innovation Commodity pricing
Duration

Source: Adapted from Anderson et al., © 2017. Internal Auditing: Assurance and Advisory Services, 4th Edition.

Exhibit 1-36 summarizes some common risk identification approaches.

Exhibit 1-36: Common Risk Identification Approaches

Technique Description Example

Event Detailed listings of potential events Lists of typically encountered

inventories common to companies within a events in a custom software
particular industry, process, etc. development project
Internal Detailed analysis of information; New product launch analysis that
analysis data from ongoing operations or examines internal data and events
 other business units, customers, affecting the success of
suppliers, or external sources competitors’ products
Escalation or Comparison of transactions/events Review of the organization’s pricing
threshold against predefined criteria alerting structure when competitors’ prices
triggers management to areas of concern reach a specific threshold
that may require assessment or
fast response
Facilitated Facilitator-led events to draw on the Focus group with accounting team
workshops knowledge and experience of led by a financial controller to
and interviews management, staff, and identify events that have an impact
stakeholders regarding on the organization’s external
achievement of objectives financial reporting
Process flow Combination of inputs, tasks, and Medical lab making process maps
analysis responsibilities in a process; for the receipt and testing of
internal and external factors or samples and then evaluating the
events that could impact process process maps for risks
objectives
Leading key Qualitative or quantitative Monitoring loan payment patterns
indicators measures that help identify to mitigate potential for default
upcoming changes to risks
Loss event Examination of past individual loss Insurance company examining a
data events to identify trends and root historical database of accident
methodologies causes; assessment of whether to claims to identify the root cause of
treat the root cause or address the accidents
individual events

Source: Adapted from Enterprise Risk Management—Integrated Framework and Enterprise Risk Management—Integrating with Strategy and
Performance, © 2004 and 2017, Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with
permission.

Analysis: Impact, Likelihood, and Heat Maps

Management analyzes every identified risk by determining two risk factors (definitions are from Anderson et al., Internal
Auditing):
Impact. “The adverse effect of a risk outcome.”
Likelihood. “The odds or probability of the risk occurring.”

Examples of some common likelihood and impact factors are shown in Exhibit 1-37.

Exhibit 1-37: Common Likelihood and Impact Factors

Likelihood Factors Impact Factors

Probability based on history or Materiality (e.g., dollar loss)

cycles Potential reputation or brand
Complexity of activities damage
Change or stability (e.g., employee Importance of the related
turnover or new laws) objective to the organization’s
Control environment mission
Control process effectiveness Velocity of occurrence, duration,
and/or pervasiveness of the
event
Recovery costs

Both impact and likelihood can be defined using subjective or objective methods. Organizations determine the scales they
want to use and assign meanings to each category.
A subjective scale is not quantifiable or measurable but is instead a set of general categories such as negligible, low,
medium, high, and extreme.
 An objective scale may add a monetary value range to each level (for impact) or a percentage range (for likelihood).

Key Point
An important audit consideration is that risk analysis scales be used consistently across the enterprise and that people
using the scales have a shared understanding of the meanings of each element.

Next, a heat map is used to determine each risk’s overall rating or severity. A heat map, also called a risk assessment
model, is a two-axis risk assessment chart or grid that places impact on one axis and likelihood on the other to create a
combination assessment of a risk’s overall rating.

A risk rating, also called severity, is a combination assessment of a risk’s impact and likelihood. Organizations define the
categories and what risk ratings to put in each category.

Exhibit 1-38 shows an example of a heat map from Anderson et al. in Internal Auditing. It includes examples of the
monetary impact and percentage ranges that might be used. (Such ranges will vary based on the size of the organization
or other factors.)

Exhibit 1-38: Heat Map

Source: Anderson et al., Internal Auditing: Assurance and Consulting Services, 4th edition.

Each risk identified in the earlier parts of the process can be mapped to a specific location on the heat map. (Note how
each cell created in the grid is assigned a number.) For example, if data privacy risks are considered high in impact and
probable in likelihood, privacy risks would be placed in box 21 and be considered a critical risk. Risks in higher- numbered
boxes get more analysis in general, but all get some form of response.

The process of placing risks on the heat map is best performed in a team session to capture the consensus of the persons
with the best understanding of the risks being discussed. For risk management at the enterprise-wide level, it is important
to involve senior management (if available), operations management, and more experienced internal auditors.

The next step in the analysis phase is to link each risk back to one or more specific business objectives. This shows what
areas of the organization would be impacted. Risk categories, such those shown in Exhibit 1-35, will help with this
exercise. For example, risks in the strategic risks category will likely trace back to strategic objectives. Performing this
process could result in modifying a risk’s impact. It also helps ensure completeness, because it could reveal more risks
that need to be mapped.

Many organizations further refine the risk analysis process to account for other risk factors, such as urgency of response
needed and so on. These additional considerations may result in modifying a risk’s overall rating or be a consideration
when choosing a risk response.

Risk Responses
For each risk analyzed, the organization determines a response that will be cost-effective, meaning that the cost of the
response is not greater than the cost of the impact if the event were to occur. Categories of risk responses include:

Acceptance. No action is taken to decrease risk impact or likelihood. The organization is willing to accept the risk at
the current level rather than spend resources on it (or no viable plan can be devised).

Avoidance. A decision is made to exit or divest of the activities giving rise to the risk (e.g., exiting a product line or
country of operations).

Pursuit. Exploit the risk if taking such a risk is advantageous to the organization or is necessary to achieve a particular
business objective (e.g., entering a new product line or region).

Reduction. Action is taken to reduce or mitigate the risk impact, likelihood, or both. Implementing controls is an
example.

Sharing. The risk impact or likelihood is reduced by transferring or sharing a portion of the risk with a third party.
Insurance, outsourcing, and partnering are examples.

Risk Scenario Planning

Certain extreme events, such as disruptive competitive innovations, cybersecurity threats, or commodity cost volatility,
may require developing more detailed risk response plans, perhaps as part of an overall business continuity plan. Making
plans for such events helps keep ERM processes proactive and helps avoid a potential ERM deficiency in which the
process primarily just maps past business events into the future.

Risk Communication and Reporting

Risk communication and reporting need to leverage the organization’s IT so that risk data can be efficiently collected and
risk analysis information can be presented in a timely fashion in an easily digestible format. To avoid information overload,
present the right level of information at the right level of detail for the audience’s decision-making needs.

Communications regarding risk management include providing the rationale for using ERM along with the guidelines for
applying it appropriately. This includes communicating risk appetite levels and other management expectations. Specific
communications and reports about risk also need to occur with the board and at every level of management.

Risk Management Standards 2120 and 2120.A1

According to The IIA

Performance Standard 2120, “Risk Management”
The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management
processes.
According to The IIA
Implementation Standard 2120.A1 (Assurance Engagements)
The internal audit activity must evaluate risk exposures relating to the organization’s governance, operations, and
information systems regarding the:
Achievement of the organization’s strategic objectives.
Reliability and integrity of financial and operational information.
Effectiveness and efficiency of operations and programs.
Safeguarding of assets.
Compliance with laws, regulations, policies, procedures, and contracts.

Let’s break down the first part of Standard 2120’s interpretation (shown in italics) and implementation guidance or other IIA
guidance (the sub-bullets). The interpretation starts with the following preamble: Determining whether risk management
processes are effective is a judgment resulting from the internal auditor’s assessment that:

Organizational objectives support and align with the organization’s mission.

Review strategic and business plans, discuss with the board and senior management, and interview mid-level
management to gain insight on alignment and risk appetite at the business unit level.

Significant risks are identified and assessed.

Important risk categories include strategic, compliance, reporting (including financial reporting), IT resources
(including cybersecurity), and operational (including processes, people, and financial) risks.
The internal audit activity should alert management to new or inadequately addressed risks.
The internal audit activity may consider using an established ERM framework.

Appropriate risk responses are selected that align risks with the organization’s risk appetite.
The CAE discusses risk appetite, risk tolerance, and risk culture with senior management and the board and
reviews related policies and meeting minutes.
The internal audit activity provides recommendations and action plans for improving risk responses.
The internal audit activity may independently perform gap analyses to look for significant risks not being identified
or addressed.

Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff,
management, and the board to carry out their responsibilities.
The internal audit activity should have a process in place to plan, audit, and report on ERM.
Interview staff at various levels to determine if the organization’s objectives, significant risks, and risk appetite are
sufficiently articulated and understood.
The internal audit activity may review board minutes to determine whether the most significant risks are
communicated in a timely fashion and the board is acting to ensure that management is responding appropriately.
If the CAE concludes that management is taking on unacceptable levels of risk, the CAE must discuss the matter
with senior management and may discuss it with the board, per Standard 2600, “Communicating the Acceptance of
Risks.”

Key Point
It is important for internal auditors to identify whether risk information is used in decision making and whether risk
responses are appropriate to the organization’s risk appetite and ERM strategy.

Let’s break down the remainder of Standard 2120’s interpretation and implementation guidance or other IIA guidance.

The internal audit activity may gather the information to support this assessment during multiple engagements. The
 results of these engagements, when viewed together, provide an understanding of the organization’s risk management
processes and their effectiveness.
Internal auditors should attain an understanding of the organization’s current ERM environment and responses to
prior risks.
Internal auditors consider the organization’s size, complexity, life cycle, maturity, stakeholder structure, and
changes in laws, competitors, etc.
Internal auditors review ERM maturity to determine how much to rely on the organization’s ERM assessments.
An organization may believe it has higher maturity than it has in actual practice.
Highly regulated industries tend to have higher levels of ERM maturity.

The internal audit activity typically also does its own risk assessments.

Risk management processes are monitored through ongoing management activities, separate evaluations, or both.
It is important to know how the organization does ERM and oversees it before starting to implement Standard 2120.
Demonstrating conformance to this standard can use the internal audit charter, internal audit plans, and related
ERM meeting minutes.
The internal audit activity will evaluate the responsibilities of the board and those in key ERM roles by reviewing
completed risk assessments and reports.
The internal audit activity may evaluate the adequacy and timeliness of remedial actions by reviewing control
designs and testing the controls and monitoring procedures.

In addition to assessing the organization’s ERM, the internal audit activity should also take the necessary steps to ensure
that it is managing and correcting deficiencies related to its own risks, such as audit failure, false assurance, and
reputation risks.

Risk-Based Audit Planning

According to The IIA

Performance Standard 2010, “Planning”
The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity,
consistent with the organization’s goals.

Internal auditors cannot evaluate every possible risk facing an organization. The multiple sources of potential
engagements coupled with the related scope of work require the efficient use of limited internal audit resources. A risk
assessment framework for audit planning provides a systematic way for the CAE and the internal audit activity to assess
internal and external risk factors and develop an annual audit plan.

Interpretation helps us understand how to develop the risk-based audit planning framework:
The CAE is responsible for developing a risk-based plan.
The CAE takes into account the organization’s risk management framework, including using risk appetite levels set by
management for the different activities or parts of the organization.
If a framework does not exist, the CAE uses his/her own judgment of risks after consideration of input from senior
management and the board.
The CAE must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks,
operations, programs, systems, and controls.

Frameworks for assessing and developing risk-based audit plans will vary between organizations. An organization’s size,
formality, management team dynamics, industry, regulatory requirements, and other demographics are some of the
potential influencing factors. Most risk-based frameworks for internal audit planning include the steps listed in Exhibit 1-39.
 Exhibit 1-39: Risk-Based Assessment Framework for Internal Auditing

Step Description

Determine the Identifies all organizational sources of potential engagements and

audit universe. all potential auditable units.
Also identifies specific activities (auditable activities) in a functional
area at risk.
Auditable units may vary depending on the industry or nature of the
organization; for example, locations, processes, products, or
divisions may be considered.
Example: A list of all organizational units/processes (can be hundreds
of items).
Examine Develops and applies standard risk assessment methodology for
organizational qualitative and quantitative measurement(s) of risk within and
risk factors. across all auditable units.
Assesses internal and external organizational risks based on their
impact on organizational objectives more than on the extent of
change in specific functions.
Considers potential engagement sources.
Involves discussing the audit universe with organizational senior
managers to identify levels of risk, planned new activities, and/or
process changes.
Incorporates ERM results (if the organization has an ERM process).
Considers other internal and external assurance activities.
Example: Consideration of size of revenue or assets, visibility of
areas, liquidity or cash flow, results of other reviews, and reported
problems.
Prioritize audits. Evaluates proposed engagements.
Establishes criteria and ranks the risks based on their significance
to organizational objectives and risk appetite.
Considers if the internal audit staff is sufficient to cover all the
primary risks and whether some can be delayed and/or handled by
other assurance providers.
Leads to the annual audit plan.
Example Identification of the most important areas to audit during the
upcoming year based on high-level risk evaluations, planned process
changes, and requests from management coupled with the internal
audit resources available.

According to The IIA

Implementation Standard 2010.A1 (Assurance Engagements)
The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at
least annually. The input of senior management and the board must be considered in this process.

Internal audit activities can leverage their organization’s ERM framework—if one exists—and apply it to the selection of
audit engagements, engagement criteria, and audit tools.

Once a risk-based annual audit plan exists, the next step is to perform individual engagement planning, which also
includes a risk assessment component.

Topic 4: Risk Management Frameworks

Organizations may choose to implement enterprise risk management in different ways. Best practice has shown that using
a framework can improve the efficiency and effectiveness of ERM. By formally organizing risk management responsibilities
and activities in a framework, an organization is better positioned to achieve its strategic objectives. Use of a framework
helps to ensure that risk management activities are focused on ERM (rather than on risk management at the functional
level) and that risk is being proactively managed (not just reduced).

There are numerous ERM models. They generally vary in their focus and complexity. Some are highly specialized
frameworks applicable to specific situations (e.g., IT security, insurance). Here we will look at two major frameworks:
COSO’s ERM framework and ISO 31000.

A discussion of internal audit activity assurance over ERM follows discussion of these frameworks.

According to The IIA

In addition to reviewing the contents of this topic, students can review the following IIA materials:
Practice Guide, “Assessing the Risk Management Process”
Practice Guide, “Assessing the Adequacy of Risk Management using ISO 31000”

COSO’s ERM Framework

The COSO (The Committee of Sponsoring Organizations of the Treadway Commission) ERM framework is called
Enterprise Risk Management—Integrating with Strategy and Performance. The purpose of this framework is to help
organizations accelerate growth and enhance performance by integrating ERM at every organizational level and applying
the principles of the framework to everything from strategic decision making to performance management.

The COSO ERM framework addresses the evolution of ERM as integral to development and achievement of strategy
through effective organizational performance and value creation. Supporting an organization’s mission, vision, and core
values is a key differentiator. The model describes the connection between strategy, business objectives, performance
(what the organization strives to achieve), and ERM components (what is needed to achieve the objectives).

This framework introduces key ERM concepts and a common ERM language and provides principles-based guidance. It
addresses the need for organizations to improve their approach to managing risk to meet the growing demands in
business.

The COSO ERM framework is applicable to all industries and all types of risk. It has gained broad acceptance by many
organizations globally.

Components of COSO ERM Framework

The COSO ERM framework consists of five interrelated components, shown in Exhibit 1-40.

Exhibit 1-40: Components of COSO ERM Framework

Component Description

Governance and Governance sets the organization’s tone, reinforcing the importance
culture of, and establishing oversight responsibilities for, ERM. Culture
pertains to ethical values, desired behaviors, and understanding of
risk in the entity.
Strategy and ERM, strategy, and objective setting work together in strategic
objective setting planning. A risk appetite is established and aligned with strategy;
business objectives implement strategy while forming a basis for
identifying, assessing, and responding to risk.
Performance Risks to achievement of strategy and objectives are identified and
assessed. Risks are prioritized by severity (impact and likelihood) in
the context of risk appetite. The organization selects risk responses
and takes a portfolio view of the amount of risk it has assumed and
reports key risks to stakeholders.
 Review and By reviewing entity performance, an organization can consider ERM
revision component effectiveness as the organization changes and what
revisions are needed.
Information, ERM requires a continual process of obtaining and sharing
communication, necessary information, from both internal and external sources,
and reporting which flows up, down, and across the organization.

Source: Enterprise Risk Management—Integrating with Strategy and Performance, © 2017, Committee of Sponsoring Organizations of the Treadway
Commission (COSO). All rights reserved. Used with permission.

Strategy and objective setting, performance, and review and revision represent common processes that flow through an
organization. The other components—governance and culture and information, communication, and reporting—are
supporting aspects of ERM.

Principles of COSO ERM Framework

These five components are supported by a set of 20 principles—the things the organization would do as part of the ERM
process. The principles, listed in Exhibit 1-41, provide senior management and the board with a reasonable expectation
that the organization understands and strives to manage the risks associated with its strategy and business objectives.

Exhibit 1-41: Principles of COSO ERM Framework

Component Principles

Governance 1. Exercises board risk oversight—The board of directors provides

and culture oversight of the strategy and carries out governance
responsibilities to support management in achieving strategy and
business objectives.
2. Establishes operating structures—The organization establishes
operating structures in the pursuit of strategy and business
objectives.
3. Defines desired culture—The organization defines the desired
behaviors that characterize its desired culture.
4. Demonstrates commitment to core values—The organization
demonstrates a commitment to its core values.
5. Attracts, develops, and retains capable individuals—The
organization is committed to building human capital in alignment
with the strategy and business objectives.
Strategy and 6. Analyzes business context—The organization considers potential
objective effects of business context on risk profile.
setting 7. Defines risk appetite—The organization defines risk appetite in the
context of creating, preserving, and realizing value.
8. Evaluates alternative strategies—The organization evaluates
alternative strategies and potential impact on risk profile.
9. Formulates business objectives—The organization considers risk
while establishing the business objectives at various levels that
align and support strategy.
Performance 10. Identifies risk—The organization identifies risk that impacts the
performance of strategy and business objectives.
11. Assesses severity of risk—The organization assesses the severity
of risk.
12. Prioritizes risks—The organization prioritizes risks as a basis for
selecting risk responses.
13. Implements risk responses—The organization identifies and
selects risk responses.
 14. Develops portfolio view—The organization develops and evaluates
a portfolio view of risk.
Review and 15. Assesses substantial change—The organization identifies and
revision assesses changes that may substantially affect strategy and
business objectives.
16. Reviews risk and performance—The organization reviews entity
performance and considers risk.
17. Pursues improvement in enterprise risk management—The
organization pursues improvement of enterprise risk management.
Information, 18. Leverages information and technology—The organization
communication, leverages the entity’s information and technology systems to
and reporting support enterprise risk management.
19. Communicates risk information—The organization uses
communication channels to support enterprise risk management.
20. Reports on risk, culture, and performance—The organization
reports on risk, culture, and performance at multiple levels and
across the entity.

Source: Enterprise Risk Management—Integrating with Strategy and Performance, © 2017, Committee of Sponsoring Organizations of the Treadway
Commission (COSO). All rights reserved. Used with permission.

The components and principles of the framework do not represent isolated, stand-alone concepts. COSO states that
enterprise risk management is not static. It is integrated into the development of strategy, the formulation of business
objectives, and the implementation of those objectives through day-to-day decision making.

More information on COSO’s Enterprise Risk Management—Integrating with Strategy and Performance can be found on
the COSO website, at www.coso.org.

ISO 31000 Framework

ISO 31000:2018, “Risk management—Guidelines,” is a simple and concise international standard and framework for the
systematic development of enterprise risk management. It can be used successfully by any size or type of organization
because the organization can adapt the framework to the proper scope and environmental context. The purpose of ISO
31000 is to help organizations manage uncertainty. It provides a guide for managing risk based on key principles, a
framework, and a process.

ISO 31000 Principles

ISO 31000 is a principles-based standard intended to generate transparency and credibility within the risk management
function. The principles describe characteristics of effective and efficient risk management and should be used as a
foundation for establishing an organization’s ERM processes.

Assessments of the organization’s overall risk management process can use these key principles as an audit approach to
ensure that the process is complete and effective. This is just one of several audit approaches that will be addressed in
this topic. An audit based on ERM principles would assess the extent to which each principle is true for the risk
management process. Exhibit 1-42 provides an overview of the ISO 31000 principles (these are paraphrased) along with
examples of how they can be used as audit tests.

Exhibit 1-42: ISO 31000 Principles and Related Audit Tests

Audit Test
Principle
(Extent to which the following are true)

Integrated Risk management is not an add-on task.

Risk management is an integral part of all

 activities in an organization.

Structured and comprehensive The organization has its own framework or

Risk management should follow a uses a standard framework.
structured and comprehensive approach to
provide consistent results.

Customized Rather than being an out-of-the-box

Risk management is customized to the process, the process matches the
organization’s operating environment, organization’s operations.
culture, and objectives.

Inclusive There should be appropriate and timely

Risk management is inclusive of all involvement of stakeholders.
stakeholders, providing improved
communications and risk management
awareness.

Dynamic The process is regularly reviewed for

Risk management uses an iterative cycle organizational and environmental
to generate continual improvement, relevance. Risk management matures
organizational learning, and quick along with other organizational processes.
response to changing environments and
emerging risks.

Best information available Obtaining information can be expensive,

Risk management makes use of the best and so the process has guidance on what
historical, current, and future-oriented constitutes sufficient information. The
information available. Relevant process documents areas of uncertainty
stakeholders need timely and clear and how best to address uncertainty.
information. Information is timely if it is available when
decisions need to be made.
Behavioral and cultural factors The process is appropriate to the
Risk management is influenced by competence and culture of those who use
organizational culture and staff behavior. it.

Continuous improvement ERM has a deliberate process for

Learning and experience are used to gathering, considering, and incorporating
continually improve risk management. feedback related to the efficiency and
effectiveness of the program.

ISO 31000 Framework Components

The ISO 31000 framework components assist in integrating risk management into all organizational activities and
functions. These components, which should work together and be customized as needed to achieve the organization’s
own objectives, include:

Leadership and commitment. Oversight by top management ensures that a risk management approach is integrated
into all activities, promoting the value to the organization and stakeholders.

Integration. Risk management should be a key aspect of governance. It should be aligned to the organizational
purpose, strategy, objectives, and operations.

Design. The framework should be designed to fit the context of the organization and demonstrate the commitment to
risk management.

Implementation. Success requires stakeholder engagement and awareness. The framework ensures that a risk
management process is included in all activities.
 Evaluation. To evaluate the effectiveness of the framework, auditors should measure performance against indicators
and expected behaviors.

Improvement. Organizations should continually monitor and adapt the framework to address identified gaps and
incorporate enhancements.

ISO 31000 Cycles

At a high level, the ISO 31000 framework is a cyclical process that begins with top executives expressing a strong
commitment to risk management and mandating its adoption based upon the principles described above. The framework
is then designed and customized. Once implemented, it is monitored and reviewed to enable continual improvement.

The implementation phase has its own cycle, as shown in Exhibit 1-43.

Exhibit 1-43: ISO 31000 Implementation Phase Process Framework

Assurance Based on ISO 31000 Process Elements

Assurance of management’s overall risk management process can use the process elements of ISO 31000 as an audit
approach. For each of the following elements, it is essential to substantiate with sufficient audit evidence that
management’s expressions of intent are being satisfied in practice.

Communication and consultation. Structured and ongoing communication and consultation occur with parties
affected by operations.

Establish context. The external environment (political, social, etc.) and internal environment (strategies, structures,
ethics, etc.) are understood as a prerequisite of identifying the full range of risks.

Risk identification. Identifying risks uses a formal, structured process that considers risk sources, impact areas,
potential events, causes, and consequences.

Risk analysis. A formal technique is used to consider each risk’s impact and likelihood.

Risk evaluation. A method is used to rank the relative importance of each risk so that a treatment priority can be
established.

Determine risk treatment. Rational decisions are made about risk treatment (acceptance, avoidance, pursuit,
reduction, and sharing).

Monitoring and review. Progress of treatment plans, existence and effectiveness of controls, avoidance of proscribed
activities, and environment changes are monitored and reviewed.
 Record and report. Reports are made in the appropriate frequency and level of detail to the appropriate parties.

How the ISO 31000 and COSO ERM Frameworks Compare

The ISO 31000 and COSO ERM frameworks are very similar. Both approaches:
Help organizations achieve their business objectives through the effective management of internal and external risks.
Recognize the importance of embedding a risk management mentality in the culture of the organization.
Recognize the importance of the “tone at the top” in risk management.
Are deliberately broad in focus yet allow for more detail-level integration.
Recognize that risk management is a complex iterative process requiring multidisciplinary skills to implement and
manage properly.

While the risk management processes are parallel in nature, there are some differences. One difference is in terminology.
ISO 31000 uses “risk treatment,” whereas COSO employs “risk response.” Another difference is that the components of
COSO ERM and ISO 31000 do not align precisely, as is shown in Exhibit 1-44.

Exhibit 1-44: Differences Between COSO ERM and ISO 31000

Components

COSO ERM Components ISO 31000 Components

Governance and culture Leadership and commitment

(Process: communication and
consultation)

Strategy and objective setting Integration

Design
(Process: scope, context, criteria)

Performance Implementation
Identifies risk (Process: risk identification)
Assesses severity of risk
(Process: risk assessment)
Prioritizes risks
(Process: risk analysis)
Implements risk responses
Develops portfolio view (Process: risk treatment)

Review and revision Evaluation

Improvement
(Process: monitoring and review)

Information, communication, and (Process: communication and

reporting consultation)
(Process: recording and reporting)

Assessments of ERM
Internal audit activity assessments of the organization’s ERM typically occur either when the organization has no real ERM
process or if the CAE determines that management’s assessment of its ERM effectiveness is not reliable. Otherwise, the
internal audit activity can typically rely on the organization’s own ERM assessment. ERM assessments can provide:
Assurance on the risk management process itself (addressed here).
Assurance on significant risks and management assertions of control as part of a risk-based audit (addressed
elsewhere).
Follow-up on risk treatment plan status or planned control remediations (addressed here).

Assessments of the risk management process itself are a good way for the internal audit activity to help the organization
adopt or improve its risk management systems. Note that if there is resistance to the idea of performing risk assessments
at all (e.g., it is considered a non-beneficial or time-consuming bureaucratic exercise), the internal audit activity is likely
facing a risk culture issue.

ERM assessments start with a gap analysis that evaluates current capabilities, processes, and systems. If any essential
elements are missing, the organization’s efforts to manage significant risks will be ineffective. Here are some
considerations:
In addition to the nature and significance of risks, consider the competence and experience of persons performing
ERM.
Avoid duplication of effort with compliance functions and risk management specialists. An assurance map (see Practice
Advisory 2050-2) can help ensure coordination.

Key objectives of internal audit activity assessments of the organization’s ERM may include the following:
Management has a vision for the risk management process.
Business strategy risks are identified and prioritized.
Management and the board have determined the general level of risks and the risks required for the chosen strategy to
be tolerable.
Management’s ongoing monitoring includes periodic reassessments of risks and the effectiveness of controls.
Risk management roles periodically report on ERM results to the board (or risk committee/audit committee) and senior
management.
Management assesses the risk profile of strategies or opportunities that use innovation.

Assessment approaches can include:

Assessments based on ongoing monitoring.
Assessments based on a maturity model.
Resource-based assessment approaches (top-down, bottom-up, or combination).
Assessments that rely on ISO 31000 principles and/or process elements.

Adoption of more than one approach can yield the most informative and useful results. The approach(es) selected should
be tailored to the organization’s needs.

Key Point
Regardless of the assessment approach(es) selected, always include normal control-based assurance that determines
whether:
Risks are being effectively identified and appropriately analyzed.
There is adequate and appropriate risk treatment and control.
There is effective monitoring and review by management to detect changes in risks and controls.

Assessments and follow-up also include process and documentation reviews, analytical techniques, recommendations,
and follow-up on risk treatment plan status. Assessments based on ongoing monitoring and on a maturity model and
resource-based assessment approaches are discussed more next.

Assessments Based on Ongoing Monitoring

A good example of assessing ERM using ongoing monitoring is for internal auditors to be present in risk management
meetings at the levels being assessed. Observations such as these can help determine if there are gaps between the
design and implementation of ERM.

A combination of ongoing monitoring and separate evaluations is a best practice. Note that the more effective the ongoing
monitoring, the less need there may be for separate evaluations. Because ongoing evaluations are done in real time, they
can be adapted to dynamically changing conditions.
Assessments Based on a Maturity Model
Risk culture and risk management maturity level play a role in the organization’s risk attitude, which the ISO defines as
an “organization’s approach to assess and eventually pursue, retain, or turn away from risk.” Exhibit 1-45 shows an
example of a risk management maturity model. Internal auditors can assess the organization’s actual position as part of
assessing the organization’s ERM process, but note that it may not be necessary or practical for an organization to aspire
to the highest level. A level of 2 or 3 may be acceptable. Conversely, an organization may need a push to a higher level if
the culture is ready.

Exhibit 1-45: Risk Management Maturity Model

Stage Culture Governance Process

1: Initial Risk belongs to the CAE/audit Risk-based auditing

internal audit committee chair
activity.
2: Repeatable Risk is considered Business managers As-needed risk and control
on an as-needed self-assessment process
basis.
3: Defined Internal audit and All levels of Common risk language
control functions management and and risk assessment
share risk board process used by internal
information. audit and control functions
4: Managed Risk is integrated Executives and Common risk language
into strategic board and consistent risk
planning; risk assessment processes in
appetite is all of organization
communicated.
5: Optimized Risk is integrated Total participation Common risk language
into all decision and aggregated risk
making, reporting through the
compensation, and organization
goals.

Source: The IIA’s “Assessing the Risk Management Process” Practice Guide.

The organization’s desired level of ERM maturity can help set the scope of ERM assessments and serve as evaluation
criteria. Depending on maturity, scope/criteria may include:
The organization has a process to manage the risk of noncompliance with external laws and regulations (this is the
minimum scope) and with internal policies and procedures.
The internal audit activity does not have management responsibility for ERM.
There is a common risk language, and consistent risk assessment processes are used.
An ERM framework is used and adapted to the organization and business environment.
Leading risk management practices (e.g., industry and professional guidance) are used.

Resource-Based Assessment Approaches

Because assessing an entire risk management process is a labor- and time-intensive exercise, the CAE should develop
an approach that considers the available resources while fulfilling audit objectives. Three examples include a top-down,
bottom-up, or combination approach. Exhibit 1-46 compares these approaches.

Exhibit 1-46: Types of ERM Audit Assessment Approaches

Top-Down Approach
Effective Interviews
methods Document reviews
 Participants Board members (e.g., audit and/or risk
committee chairs)
Senior management
Group/division management
Limitations Low level of detail.
Assessment may take a governance focus
due to the participants involved.
Board and senior management views may not
represent remainder of organization,
especially regarding culture.
Bottom-Up Approach
Effective Interviews
methods Surveys
Document reviews
Walkthroughs
Participants Line managers
Supervisors
Limitations Surveys may be confusing without a risk
process/language background.
Feedback may be inconsistently distributed
across participants.
Participants may not make time (indicative of
low priority given to ERM).
Combination Approach
Effective Interviews with higher-level personnel
methods Surveys with lower-level personnel
Document reviews
Participants Board members (e.g., audit and/or risk
committee chairs)
Senior management
Group/division management
Line managers
Limitations While this approach can be more
comprehensive, it could be more
expensive/time-consuming, and any of the
prior limitations may still apply.

A top-down assessment is good for strategic-level identification and evaluation of exposures. These assessments can
serve as a catalyst to get the organization moving toward its desired ERM maturity level. Internal auditors performing such
assessments should understand the business and its strategy as well as external environment and stakeholder risk priority
changes. Interviews (or brainstorming sessions) can get board members or senior management engaged by leading off
with targeted questions, such as:
What risks can impact strategy realization and could risk management enhance performance relative to these risks?
What would we hate to see reported in the media?
What unique risks exist in our industry?

Bottom-up assessments are more likely to be limited-scope engagements because it can be difficult to assess ERM at the
detail level. The scope can instead be defined based on specific objectives such as for specific locations or strategic
objectives. Here are some examples of questions internal auditors could ask of line managers or other participants:
Do you seek information from field personnel to get early warning of emerging risks?
Are risk management resources sufficient?
Are risk management roles for you and your subordinates defined clearly enough?
Combination approaches can be used when the benefits of both methods are desired and there is budget available for its
greater administrative cost. Here are a few examples of questions that one could ask of participants to determine how the
top and bottom interact:
How are differences of opinion on a risk or its priority shared between senior and line management and how are they
settled?
Do you feel pressured to go along with the group opinion (groupthink)?
Are there discussions of how a risk could impact other business units, how one risk may naturally offset another risk, or
how addressing one risk may create new risks?

ERM Process and Documentation Reviews

In addition to gathering information from persons involved in ERM, internal auditors can review ERM processes and
related documentation. Internal auditors seek evidence that there is structured analysis and documentation of risks,
including the following:
An overall strategy for managing risk information from multiple sources is in place.
Guidelines for the creation, modification, deletion, and sharing of risk information exist.
A risk register exists and is used. A risk register is a spreadsheet or document that links risks to organizational
objectives, provides an assessment of each risk, including its impact and probability, identifies the risk owner, and
identifies the response or key control to address the risk.
A risk communications process exists that has the necessary infrastructure for communicating risk information
throughout the organization.
A risk reporting process provides quarterly communications with management and the audit committee, has reports
that clearly link the risk universe back to shareholder value, and is focused on transparency and education.
Decision making and performance measurement processes integrate risk information.

To gather evidence, the internal audit activity may review these and other sources:
Prior risk assessments, control-self assessments, or external assurance reports
Risk management process flows
Risk appetite and strategy documents
Board minutes
Business cases for capital projects
Management discussion and analysis (MD&A) in financial statements
Results of risk monitoring activities

Once the various documents are gathered, internal auditors assess the quality of the documentation against the criteria
they have determined for the engagement. This can include assessing:
The extent and formality of the documentation. (Note that less formality does not necessarily mean less effectiveness.)
Whether the documents such as risk registers make monitoring risks more efficient.
Whether technology is leveraged where appropriate to make the process cost-effective.

Note that if the purpose of the assessment is to make a formal statement to external parties, be sure to retain the
documentation.

Analytical Techniques
Risk management analytical techniques can include performing root cause analysis of detected faults or statistical
analysis of incident trends.

Recommendations
Recommendations resulting from ERM assessments should be appropriate to management’s current and desired ERM
maturity levels.

Follow-up of Risk Treatment Plan Status

The internal audit activity also needs to follow up on the status of risk treatment plans and related control remediation
plans. Follow-up activities include ensuring that monitoring provides management with an assessment of progress against
milestones and validating that plan status reports to the board are accurate and timely.

Topic 5: Process and Function Risk Management Effectiveness

This topic follows the recommended engagement planning steps as presented in Standard 2200 and in the “Assessing the
Risk Management Process” Practice Guide to provide a systematic process for examining the effectiveness of risk
management within processes and functions as part of a risk-based audit plan during an engagement.

According to The IIA

In addition to reviewing the contents of this topic, students can review the following IIA materials:
Practice Guide, “Assessing the Risk Management Process”

Assessing ERM on an Engagement

A best practice when conducting an individual engagement that includes a risk assessment component is to follow the
engagement planning steps as presented in Standard 2200 and further detailed in The IIA’s Practice Guide “Engagement
Planning: Establishing Objectives and Scope.” Each of these steps is adapted for use in a risk management assessment
context in The IIA’s Practice Guide “Assessing the Risk Management Process.” Here we provide a brief overview of the
process in that Practice Guide.

Understand the Context and Purpose of the Engagement

Internal auditors develop an understanding of the organization’s overall risk management maturity level in the context of
the organization’s size, industry, and regulatory environment. In particular, there must be an assessment as to whether
management has articulated objectives for risk management. Given this understanding, the internal audit engagement
requires:
Identifying the principles at work in the organization’s risk management process.
Evaluating whether those principles are appropriate and effective.

In planning the assessment, internal auditors should review Implementation Guidance for Standard 2120, “Risk
Management,” and consider elements including:
Mission, vision, strategy, and objectives.
Risk management frameworks used and methods of risk management and oversight.
Robustness of risk management roles, responsibilities, and activities.
Historically experienced risks, current risks, and changes that may introduce new risks.
Stakeholder expectations for the internal audit activity to provide assurance in the area being audited that the risk
management process is effective.

Preparations can include reviewing prior assessments, understanding and mapping risk management process flows
(flowcharts), and interviewing relevant stakeholders.

Gather Information to Understand the Risk Management Process

Given an understanding of the areas relevant to the engagement, internal auditors should gather information to support a
preliminary risk assessment. The manager of every business area should have at least some risk information, because
every area should be managing risk. Internal auditors may need to look in less obvious areas for this information. For
example, business cases for projects or initiatives contain risk assessments that could be reviewed.

Conduct a Preliminary Risk Assessment

According to The IIA

Implementation Standard 2210.A1 (Assurance Engagements)
internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review.

An effective way to perform and document an engagement-level risk assessment is to create a heat map (risk assessment
model) of significant risk exposures including errors, fraud, and noncompliance.

Establish Engagement Objectives

According to The IIA

Performance Standard 2210, “Engagement Objectives”
Objectives must be established for each engagement.

An example of an overall objective could be to provide management with insight into their ERM maturity. Standard
2210.A2 adds that assurance engagement objectives must consider the probability (i.e., likelihood) of significant
exposures including, errors, fraud, and noncompliance.

For an assurance engagement, according to Standard 2210.A3, adequate criteria are needed to evaluate risk
management, and if internal auditors find that senior management and the board have already established adequate
criteria (i.e., a risk management framework is in place), then that criteria must be used for the evaluation. If none exist,
internal auditors should work with management and/or the board to develop internal and external criteria and leading
practices. Note that for less mature organizations, consulting engagements may be more appropriate.

Establish Engagement Scope

According to The IIA

Performance Standard 2220, “Engagement Scope”
The established scope must be sufficient to achieve the objectives of the engagement.

At a minimum, the scope of any assessment regarding risk management should confirm whether any identified risk-related
processes are followed and comply with external criteria. The engagement scope may include evaluating:
The effectiveness of governance structures supporting the audit area’s risk management policies, procedures, and
activities.
The sufficiency and operating effectiveness of the audit area’s risk management policies, procedures, and activities,
including alignment with the organization’s risk appetite, stakeholder expectations, and industry standards.
The adequacy of dedicated risk management resources in the audit area.
Clearly defined risk management and assurance roles.
Explicit consideration of risk in strategy setting, clear expectations related to risk treatment, and processes for
classification, escalation, tracking, and reporting.
Existence of risk registers, rating criteria, and other tools.
Allocate Resources

According to The IIA

Performance Standard 2230, “Engagement Resource Allocation”
Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on an
evaluation of the nature and complexity of each engagement, time constraints, and available resources.

The CAE or internal auditors assigned to the engagement determine whether the quantity of resources and mix of
competencies available are sufficient to perform the engagement with due professional care. Another consideration when
allocating resources is the impact that the culture and control environment will have on the engagement’s requirements. A
top-down, bottom-up, or combined approach may be considered, but a bottom-up approach may be most appropriate for
auditing processes and functions.

Document the Work Program

Documents gathered may include process maps for the process or function, the area’s risk register, and summaries of
interviews and surveys. It is important to document the rationale used for decisions regarding the assessment of the
organization’s risk management maturity level and any criteria used to assess the risk management process.

Topic 6: Internal Audit Role in the Organization’s ERM

This topic addresses what internal audit activities are and are not acceptable in regard to the organization’s ERM process.
The topic focuses on potential consulting roles.

According to The IIA

In addition to reviewing the contents of this topic, students can review the following IIA materials:
Practice Guide, “Interaction with the Board”
Position Paper, “The Role of Internal Auditing in Enterprise-Wide Risk Management”
Practice Guide, “Internal Audit and the Second Line of Defense”

Internal Audit’s Role in the Organization’s ERM

Exhibit 1-47 presents a range of ERM activities, differentiating between roles the internal audit activity should and, equally
important, should not undertake. Roles in the far left area are core internal audit roles the activity should undertake. These
are all assurance activities. The area in the center includes consulting and other non-assurance activities that are still
legitimate internal audit activity roles but require some safeguards, and activities in the far right are roles the activity
should not undertake.
 Exhibit 1-47: Internal Audit’s Role in ERM

The key factors to take into account regarding the role of internal audit are whether the particular activity raises any threats
to internal audit’s independence and objectivity and whether it is likely to improve the organization’s governance, risk
management, and control processes.

Key Point
Carefully review the “roles internal audit should not undertake” in the graphic above. These are all things for which the
board, senior management, or other management levels should be responsible and accountable.

Because assurance activities are addressed elsewhere, this topic focuses primarily on the center of the graphic, as this
represents an area that requires judgment. These consulting or non-project, value-added internal audit activities are
discussed more next.

Consulting or Non-Project Internal Audit Activities for ERM

According to The IIA

Implementation Standard 2120.C1 (Consulting Engagements)
During consulting engagements, internal auditors must address risk consistent with the engagement’s objectives and
be alert to the existence of other significant risks.

According to The IIA

Implementation Standard 2120.C2 (Consulting Engagements)
Internal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of the
organization’s risk management processes.

According to The IIA

Implementation Standard 2120.C3 (Consulting Engagements)
When assisting management in establishing or improving risk management processes, internal auditors must refrain
from assuming any management responsibility by actually managing risks.

The internal audit activity’s knowledge of and reputation in risk management frequently results in organizations seeking
out the activity’s involvement as the organization embeds risk management into its culture and practices. In some cases,
internal audit may be asked to take the lead on enterprise risk management or some portion of it, even though this type of
activity will be in violation of Standard 2120.C3 if internal auditors assume any management responsibility. Also, internal
audit cannot give objective assurance on any part of the risk management framework for which it is responsible.

Key Point
Whenever the internal audit activity consults with management to set up or improve risk management processes, its plan
of work should include a clear strategy and time line for migrating the responsibility for these activities to members of
management.

If there is no ERM function, the internal audit activity advises on how to set one up and consults on the best ERM
methodology for the organization. The activity’s ERM role should be discussed with senior management and the board
and codified in the internal audit charter. Here are some potential ERM consulting areas. (Note how all of them are
carefully worded to avoid taking on any actual management responsibility.)
Assess articulation of strategies and business objectives.
Champion ERM and introduce its concepts, frameworks, and risk language by providing workshops or coaching that
highlights ways ERM could add value. Use specific examples that leverage the internal audit activity’s overall
knowledge of the organization.
Provide insight on the nature and effectiveness of the control environment.
Facilitate risk appetite setting.
Brainstorm risk events.
Provide management with internal audit tools and techniques for analyzing risks and controls.
Facilitate assessment and risk priority setting.
Advise on additional risk criteria.
Advise on choice of risk response/treatment.
Assist management with monitoring external and internal environments, such as by providing a central point for
coordinating, monitoring, and reporting on risks.
Provide audit results that highlight risk management methodologies to show their effectiveness.

Some internal audit activities may consider some ongoing or informal activities to be non-project work and therefore not
consulting work. Others will consider this a form of consulting. Regardless of how such activities are categorized, they
need to comply with the Standards, including refraining from taking on management responsibility. An example of non-
project, value-added work could include providing the board (especially new board members) with white papers on
industry risks or accounting rule changes.

As an organization’s ERM processes mature, consulting tends to become less of a focus and assurance takes on priority.
More mature organizations not only are already doing many of the right things in regard to ERM but may have specialist
roles such as a risk manager. An assurance focus then provides the independent and objective view that the first line
(management) and second line (compliance) cannot provide.

Consulting Safeguards
Safeguards for consulting on ERM include:
Making it clear to management that they are responsible for risk management, including by documenting the nature of
internal audit responsibilities in the internal audit charter and related policies and procedures.
Abstaining from actually managing any of the risks on behalf of management. Instead, the internal audit activity may
challenge or support management’s decision-making process or provide other advice.
Recognizing any work beyond assurance activities as consulting engagements. Implementation Standards related to
consulting engagements should be followed.
Consulting versus Second-Line Roles
While there will be some areas of overlap in the knowledge, skills, and values between internal auditors and second-line-
of-defense functions related to ERM (such as a risk manager or a financial controller), it is important for internal auditors to
know their limitations. Most second-line-of-defense roles will have areas of expertise and knowledge that are outside the
body of knowledge for most internal auditors. This can include:
How to use and interpret complex risk quantification and modeling techniques.
Knowledge of the details of implementing risk responses (e.g., financial risk transfer).

If specialized skills are needed, the internal audit activity needs to recognize its limitations and acquire the expertise or not
undertake the work.

Interaction with the Board in Relation to ERM

Performance Standard 2060, “Reporting to Senior Management and the Board,” indicates that the CAE’s periodic
reporting to senior management and the board must include significant risk exposures and control issues. An effective
internal audit activity provides the board with assurance in these areas and suggests governance, risk management, and
control improvement opportunities.

Developing both formal and informal communication channels and strong relationships is important to enable discussion of
sensitive matters, such as management’s failure to manage strategic and/or operational risk or an executive’s ethically
questionable behaviors and actions (including fraud). Here are some considerations for communications:
Clear, relevant, and frequent communication between the CAE and members of the board is essential.
Formal board meetings are best served if all presentation materials are relevant, complete, and risk-based.
A quarterly or similar meeting should include risk themes, for example, a review of emerging risks. The CAE also helps
the board to understand changes in the regulatory and business environment related to governance, risk management,
and control.
The CAE may also need to have frequent informal discussions with the chair or other board members, in part to
establish trust and rapport.

One of the most important aspects of interacting with the board is gaining their confidence that the internal audit activity is
fully engaged with senior management to monitor and treat risks, stay alert to emerging risks, and align with stakeholders
on risk attitudes.

Use of a risk-based audit plan is itself a confidence-building tool. Such a plan helps build stakeholder confidence when it is
grounded on:
A thorough understanding of the risk appetite of the board and senior management.
CAE discussions with the board and management on how to best prioritize projects and resources so as to provide the
most value in helping them assess risks.

Regular review of the audit plan with the board and senior management will give them opportunities to set new priorities
and adapt to internal and external environment changes.
Section F: Fraud Risks
This section is designed to help you:
Define fraud and the conditions that must exist for fraud to occur.
Discriminate among the major types of fraud.
Identify common types of fraud associated with the engagement area during the engagement planning process.
Determine if fraud risks require special consideration when conducting an engagement.
Complete a process review to improve controls to prevent fraud and recommend changes.
Provide examples of fraud risk management controls.
Use computer data analysis, including continuous online monitoring, to detect fraud.
Support a culture of fraud awareness, and encourage the reporting of improprieties.
Describe the features of an effective whistleblower hotline.
Demonstrate an understanding of forensic auditing techniques.
Demonstrate an understanding of fraud interrogation/investigative techniques.

According to The IIA

The IIA’s guidance referenced in the Challenge Exam Study Guide may be accessed using the links below. Access to
specific pages and documents varies for the public and The IIA members.
Attribute Standards: www.theiia.org/Attribute-standards
Performance Standards: www.theiia.org/Performance-standards
Standards and Guidance: www.theiia.org/Guidance
Position Papers: www.theiia.org/Position-papers
Implementation Guidance: www.theiia.org/Practiceadvisories
Practice Guides and GTAGs: www.theiia.org/Practiceguides

This section discusses the basics of fraud and internal audit’s responsibilities regarding fraud. Understanding the various
types of fraud, the threats fraud poses, and fraud controls is a crucial task for internal audit, even though internal audit is
often not tasked with the actual detection and investigation of fraudulent activities.

Topic 1: Fraud Risks and Types

This topic covers fraud risk and the types of fraud. The topic also discusses fraud risks that are present when conducting
an engagement.

According to The IIA

In addition to reviewing the contents of this topic, students can review the following IIA materials:
Practice Guide, “Engagement Planning: Assessing Fraud Risks”
Practice Guide, “Internal Auditing and Fraud”

Fraud Risks and Types

According to The IIA

Implementation Standard 2120.A2 (Assurance Engagements)
The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages
fraud risk.

In order to evaluate the potential for the occurrence of fraud, internal auditors must first understand what fraud is and the
different types of fraud that may occur. The IPPF glossary defines fraud as:

Any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent
upon the application of threat of violence or of physical force. Frauds are perpetrated by parties and
 organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure
personal or business advantage.

Fraud risk is the probability that fraud will occur and the potential consequences to the organization when it occurs.

Note that the specific legal definition of fraud may vary by jurisdiction.

Fraud is an area where the services of outside experts are often retained. The internal auditor’s responsibilities for
detecting fraud during engagements include:
Considering fraud risks in the assessment of control design and determination of audit steps to perform.
Having sufficient knowledge of fraud to identify red flags indicating that fraud may have been committed.
Being alert to opportunities that could be considered conducive for fraud, such as control weaknesses.
Evaluating the indicators of fraud and deciding whether any further action is necessary or whether an investigation
should be recommended.
Notifying the appropriate authorities within the organization if a determination is made that fraud has occurred to
recommend an investigation.

Examples of Fraud
Fraud is perpetrated by a person knowing that it could result in some unauthorized benefit to him or her, to the
organization, or to another person, and it can be perpetrated by persons outside or inside the organization. Some common
fraud schemes include the following:

Asset misappropriation involves stealing cash or assets (supplies, inventory, equipment, information) from the
organization. In many cases, the perpetrator tries to conceal the theft, usually by adjusting the records.

Skimming occurs when cash is stolen from an organization before it is recorded on the organization’s books and
records.

Disbursement fraud occurs when a person causes the organization to issue a payment for fictitious goods or
services, inflated invoices, or invoices for personal purchases.

Expense reimbursement fraud occurs when an employee is paid for fictitious or inflated expenses.

Payroll fraud occurs when a person causes the organization to issue a payment by making false claims for
compensation.

Financial statement fraud involves misrepresenting the organization’s financial statements, often by overstating
assets or revenue or understating liabilities or expenses.

Information misrepresentation involves providing false information, usually to those outside the organization.

Corruption is the misuse of entrusted power for private gain. Corruption includes bribery and other improper uses of
power.

Bribery is the offering, giving, receiving, or soliciting of anything of value to influence an outcome. Bribes may be
offered to key employees or managers such as purchasing agents who have discretion in awarding business to
vendors.

A diversion is an act to divert a potentially profitable transaction to an employee or outsider.

Related-party activity is a situation where one party receives some benefit not obtainable in a normal arm’s-length
transaction.
 Tax evasion is intentional reporting of false information on a tax return to reduce taxes owed. By purposely structuring
pricing techniques improperly, management can improve their operating results to the detriment of other organizations
and one or more countries’ taxation systems.

Internal controls must pass a cost-benefit test, and so not all controls can be designed with a literal zero tolerance for
fraud.

Developing Fraud Knowledge

According to The IIA

Implementation Standard 1210.A2 (Assurance Engagements)
Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by
the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and
investigating fraud.

Developing sufficient knowledge to evaluate the risk of fraud requires learning about the fraud triangle and common red
flags of fraud in various types. Standard 1210.A2 also requires evaluating the manner in which fraud is managed by the
organization. This process may be called an organization-wide fraud prevention, detection, and investigation program.
Organizations may develop sub-programs for specific areas of fraud.

Fraud Triangle
The fraud triangle is a set of three conditions that, if present in the right proportions, suggest the possibility of fraud:
opportunity, motive, and rationalization. The fraud triangle is shown in Exhibit 1-48.

Exhibit 1-48: The Fraud Triangle

These three conditions can be described as follows:

Opportunity. A process may be designed properly for typical conditions. However, a window of
opportunity may arise for something to go wrong or that creates circumstances for the control to fail.
An opportunity for fraud may exist due to poor control design or lack of controls. For example, a
system can be developed that appears to protect assets but is missing an important control. Anyone
aware of the gap may be able to take advantage of it without much effort.
Persons in positions of authority can create opportunities to override existing controls (i.e.,
management override) because subordinates or weak controls allow them to circumvent the rules.

Motive (also called incentive or pressure). While people can rationalize their acts, there needs to be
an incentive that entices them to behave that way.
A key motivator is the gratification of a desire, such as greed, or an addiction.
Power is a great motivator. Power can be career-related or simply gaining esteem in the eyes of family
or coworkers. For instance, some computer frauds are done just to show that the hacker has the power
to do it.
A third motivator is pressure, from either unrealistic job requirements, physical stresses, or outside
parties.
 Rationalization. Fraud perpetrators must be able to justify their actions to themselves as a psychological
coping mechanism, allowing them to believe that they have done nothing wrong and are “normal people.”
For example, these individuals might consider that they were entitled to the stolen item or that if
executives break the rules, it must be right for others to do so as well.
Some people will do things that are defined as unacceptable behavior by the organization yet are
commonplace in their culture (e.g., bribery) or were accepted by previous employers. As a result, these
individuals will not comply with rules that don’t make sense to them.
Some people may have periods of financial difficulty in their lives, have succumbed to a costly
addiction, or are facing other pressures. Consequently, they will rationalize that they are just borrowing
the money and, when their lives improve, they will pay it back.
Others may feel that stealing from a company is not bad, thereby depersonalizing the act.

Key Point
It is important to remember that it isn’t failures in systems, policies, procedures, or controls that cause fraud—it’s people.
People may take advantage of these failures, but it is still a human activity, so much of the discussion regarding
detecting fraud relates to understanding the motivations and rationalizations of people.

Although internal auditors may not be able to know the exact motive or rationalization leading to fraud, they are expected
to understand enough about internal controls to identify opportunities for fraud. Auditors also should understand fraud
schemes and scenarios and be aware of the signs that point to fraud and how to prevent such schemes or scenarios.
Information available from The IIA and other professional associations or organizations should be reviewed to ensure that
the auditor’s knowledge is current.

Red Flags of Fraud

The internal auditor is a potential “early warning system” for the organization by detecting the indicators of fraud, often
called red flags. Red flags are signs that indicate both the inadequacy of controls in place to deter fraud and the possibility
that some perpetrator has overcome weak or absent controls to commit fraud. Fraud red flags may surface at any stage of
the internal audit. Red flags are only warning signs; they are not proof that fraud has been committed.

Red flags may relate to time, frequency, place, amount, or personality. They include items such as:
Overrides of controls by management or officers.
Lack of separation of duties.
Irregular or poorly explained management activities.
Constantly exceeding goals/objectives regardless of business conditions or competition.
Too many nonroutine transactions or journal entries.
Problems or delays in providing requested information.
Significant or unusual changes in customers or suppliers.
Transactions that lack documentation or normal approval.
Employees or management hand-delivering checks.
Customer complaints about delivery.
Employees exhibiting significant behavioral changes.
Poor IT access controls.

Environmental Red Flags

Environment may be viewed on a macro or micro level. The macro level refers to conditions that affect an entire industry, a
country, or a global region, while the micro level refers to specific organizations.

Examples of macro-level red flags include:

Stiff competition, unfair trade practices, or economic downturns that create pressure to perform or lead to layoffs that
 place economic pressures on individuals. These conditions may generate the motive to commit fraud.
Recently deregulated or poorly regulated industries in which absence or laxity of controls creates opportunity for fraud,
for example, the ease of accessing cash in the business or the complexity and opacity of transactions.
An industry or cultural trend toward dishonesty and disregard of law and regulation (e.g., a history of corrupt practices
by certain types of government contractors, a pattern of bribe taking by government officials). Perpetrators may point to
a history or climate of acceptance as rationalization for fraud.

The same types of red flags may be seen on the micro or organizational level:
Financial motive from the loss of a lucrative contract, the pressure to improve financial performance to obtain a loan or
before issuing stock, or a research and development failure that threatens the organization’s product pipeline.
Reorganizations that disrupt control policies and create fraud opportunity. Failure to screen may lead to hiring with the
motive to commit fraud (e.g., hiring supervisors who fail to implement, enforce, and monitor control policies).
Failure to train all personnel in the organization’s ethical code. This can contribute to a culture that easily rationalizes
small and large acts of fraud, including theft, bid rigging, kickbacks, and conflicts of interest.

Two particular types of micro environments offer special opportunities for fraud and challenges for internal auditing:
international organizations and organizations that rely heavily on technology.

International organizations. Internal audits of multinational corporations may uncover many types of red flags that
result from the difficulty of maintaining controls in a decentralized and multicultural organization. Bribery may be
occurring in both directions: Employees may be receiving kickbacks, and large, poorly described expenditures may
mask bribes to foreign officials. Managers may carry ghost employees on the payroll. Differences in exchange rates
can be exploited.

Organizations dependent on computer technology. Computer systems can be used to steal assets or intellectual
property, facilitate identity theft, tamper with controls and records, and then hide the fraud. Internal auditors look for red
flags of ineffective security controls: poor network administration that fails to define and enforce appropriate levels of
access, lack of reports showing unauthorized access to the system, use of passwords by unauthorized users, users’
failure to use password protocols, lack of firewalls to detect intruders, or users inviting intruders into a system through
careless internet use.

Industry-Specific Red Flags

It has been estimated that four industries alone account for more than 70% of white-collar fraud: financial services,
insurance, manufacturing, and energy. Organizations in such industries therefore may see a significant return on
investment from assurance that controls are adequate and operating correctly related to fraud prevention and detection.

The financial services sector—which includes banks, savings and loan institutions, credit card companies, investment
firms, and finance companies—may often already satisfy at least two of the components of fraud: motive and opportunity.
The industry is highly competitive, with high sales incentives, so both organizations and individuals may be motivated to
take unacceptable risks or misstate sales and earnings.

Similarly, the insurance sector offers ready access to cash through fraudulent claims or payouts to nonexistent clients or
mis-evaluation of underwritten properties.

Opportunity in the manufacturing sector includes complicated procurement processes and lax oversight that allows cost
overruns and discrepancies. Closely held technology companies offer opportunity for fraud to the handful of decision
makers who know the product.

In the energy sector, a decentralized structure, often international, allows greater opportunity for fraud and for bribery to
cover it up. It may be difficult to evaluate assets or track profits. Customers may not be able to verify what and how much
they are actually receiving.

Perpetrator Red Flags

People committing fraud often display certain behaviors or characteristics that may serve as warning signs or red flags.
Personal red flags include:
Living beyond one’s means.
Conveying dissatisfaction with the job to fellow employees.
Unusually close association with suppliers.
Severe personal financial losses.
Addiction to drugs, alcohol, or gambling.
Change in personal circumstances.
Developing outside business interests.

In addition, there are those who consistently rationalize poor performance, perceive beating the system to be an
intellectual challenge, provide unreliable communications and reports, and rarely take vacations or sick time (and when
they are absent, no one performs their work).

Perpetrators may be employees or managers.

Perpetrator Red Flags—Employees

An organization’s management and internal auditors need to be trained to understand and identify the potential warning
signs of employee fraudulent conduct, which fall into the three main categories of the fraud triangle.

Auditors look for behavioral signals, like a pattern of complaints against an employee, a decline in employee morale or
attendance, abrupt resignations or evasiveness in answering questions, and a lack of cooperation or an adversarial
attitude during an audit.

Other red flags may signal the techniques used to commit the fraud. These include:
Unexplained variances (e.g., abnormally high expenses versus previous periods).
Unusual shortages in cash or inventories.
Missing or altered documents.
Invoice items inconsistent with the charge code or business function.
Approval circumventions (e.g., splitting orders to stay below approval thresholds).
Vendors with generic names or post office box addresses.
Manual transactions in an area characterized by automated transactions.
Even amounts in an environment characterized by irregular amounts.
Duplicate payments.
Using a fictitious “middle man” to divert company cash or assets.

Perpetrator Red Flags—Managers

Managers who are committing fraud against (instead of on behalf of) their companies exhibit many of the same red flags
as their employees. They may have additional needs that stem from company expectations. They may be late with
reports, play favorites, and demand loyalty from employees. Managers may have significantly more opportunities for fraud.

Financial Statement Red Flags

Although external auditors are responsible for reviewing financial statements and identifying financial statement fraud,
internal auditors may be asked to consult on the preparation of the financial statement in order to avoid problems during
the external audit. The CAE may also need to form an overall opinion on the internal controls over financial reporting
(ICFR) based on all assurance and consulting activity performed during the period. Internal auditors may be in a position
to detect irregularities before they become a public, costly embarrassment to the organization.

Some red flags that may be associated with financial statements follow.

Fictitious revenues. Unusual growth in income or profitability, earnings growth despite recurring negative cash flows
in some parts of the organization, highly complex transactions (like those used by the Enron Corporation, which board
members and many financial experts said they could not follow), end-of-reporting-period transactions (e.g., channel
loading, or building sales through special incentives at the cost of sales in later periods), sales or income attributed to
unknown companies or areas, absence of documentation for posted sales.

Improper asset valuation. Changes made to inventory counts, fictitious sales accounts, unacknowledged and
uncollected liabilities, fictitious assets supported by fictitious documents.

Concealed liabilities. Unposted invoices from vendors, calling an expense an asset (which can be depreciated or
amortized), debts assumed by shell companies (off-balance-sheet accounting), reliance on subjective valuations,
unusually low expenses or purchases, unusually low level of loss (e.g., returns or warranty), irregular accounting
entries that reduce tax liabilities.

Improper disclosures. Poor communication of standards about disclosure, ineffective boards of directors.

In general, a heavy concentration of authority in one individual or area (usually combined with poor controls), evasiveness,
a history of dishonesty or disrespect for laws and regulations, the potential for significant financial reward for certain
individuals—these can all be general red flags for financial statement fraud.

What to Do About Red Flags

An internal audit is not a fraud investigation. Identification of red flags directs the scope of current and subsequent audit
steps until sufficient evidence is gathered to form an objective conclusion regarding the existence of fraud.

When fraud is suspected, a best practice is for the internal auditor to refer the case to the CAE, who will secure
appropriate resources for further investigation, such as a certified fraud examiner or an IT security specialist.

Internal auditors assist fraud investigators by furnishing them with analyses, appraisals, recommendations, counsel, and
information concerning the activities reviewed. The succeeding auditor/investigator should be briefed on fraud risks in the
engagement, red flags noticed, fraud tests implemented to date, and preliminary findings. To be better prepared to support
fraud investigations, internal auditors should be aware of how investigations are conducted.

Topic 2: Fraud Controls

This topic discusses internal audit’s role in recommending and assessing controls to prevent and detect fraud and how
education can improve an organization’s fraud prevention efforts.

According to The IIA

In addition to reviewing the contents of this topic, students can review the following IIA materials:
Practice Guide, “Internal Auditing and Fraud”
Practice Guide, “Engagement Planning: Assessing Fraud Risks”

Preventing and Detecting Fraud

After internal auditors have considered fraud scenarios and identified and prioritized fraud risks, they should determine
which controls, if any, are in place to mitigate those risks. This can be done by expanding the fraud risk matrix to include
existing controls.

The fraud risk assessment team identifies preventive and detective controls in place to address each fraud risk and
assesses the likelihood and significance of each potential fraud. Entity-level anti-fraud controls are key elements to this
exercise and may include:
Whistleblower hotline and whistleblower protection policy.
Board oversight.
Results of continuous monitoring.
Code of conduct.
Tone of management’s communications regarding fraud risk tolerance.
Hiring and promotion guidelines and practices.
Continuous auditing.

The presence of these elements may indicate a strong control environment that can help prevent fraud. Control activities
should also include the appropriate authority limits and segregation of incompatible duties. Internal auditors consider not
only the existence of the internal controls; they also assess the effectiveness of the controls through periodic testing.

The resulting fraud risk and control matrix should be included in engagement workpapers.

Detective controls are designed to provide warnings or evidence that fraud is occurring or has occurred. Simultaneous use
of preventive and detective controls enhances any fraud risk management program’s effectiveness.

Fraud detection methods need to be flexible, adaptable, and continuously changing to meet the changes in the risk
environment. An effective way for an organization to learn about existing fraud is to provide employees, suppliers, and
other stakeholders with a variety of methods for reporting their concerns. Ways to collect this information include:
Code-of-conduct confirmation.
Whistleblower hotline.
Exit interviews.
Proactive employee survey.

Other methods for fraud detection include surprise audits in high fraud risk areas, continuous monitoring of critical data,
and routine and/or ad hoc matching of data against relevant transactions, vendor lists, employee rosters, and other data.

Fraud Awareness Education

Fraud training is usually a key factor in the deterrence of fraud. Training can cover the organization’s expectations for
employees’ conduct, the procedures and standards necessary to implement internal controls, and employee roles and
responsibilities to report misconduct.

Employee fraud training needs to be tailored to the organization and the employees’ positions within the organization.
Tailored training is more effective than generic training, allowing employees to better understand their role in the
organization’s fraud detection system.

Periodic training throughout an employee’s career reinforces awareness of fraud and its cost to the organization.
Regardless of the training method selected, a key goal of the training is to test the employee’s comprehension of the fraud
training.

Topic 3: Forensic Auditing

This topic discusses the role internal audit plays when using forensic auditing and some of the different forensic auditing
techniques available to internal auditors.
Fraud Investigations
The internal audit activity plays an important role in contributing to the overall governance of a fraud risk management
program. This is primarily evident from the independent assurance the activity provides to the board and management that
the controls in place to manage fraud risks are designed adequately and operate effectively.

Key Point
The role of the internal audit activity in investigations needs to be defined in the internal audit charter as well as in the
fraud policies and procedures.

For example, internal audit may have the primary responsibility for fraud investigations, may act as a resource for
investigations, or may refrain from involvement in investigations entirely. This may vary from organization to organization,
based on organizational policy or relevant local laws.

There are several reasons internal audit may not participate in investigations, including that the activity may:
Have the responsibility for assessing the effectiveness of investigations.
Lack the appropriate resources.
Lack internal auditors holding specialized training or certifications necessary to gather evidence.

Investigators versus Internal Auditors

Investigators interview individuals, such as witnesses, to gather evidence to support a suspicion of fraud and to establish
the scope of the fraud and the degree of complicity. While some internal auditors are also qualified investigators, when this
is not the case, it is important that the internal auditors not conduct themselves as investigators. The two roles should be
separate and distinct.

However, internal audit involvement in fraud investigation can be acceptable as long as the impact on internal auditing’s
independence is recognized and handled appropriately.

In some cases, in addition to using contractors, the internal audit activity may use non-audit employees of the organization
to assist. It is often important to assemble the investigation team without delay.

In organizations where primary responsibility for the investigation function is not assigned to internal audit, the activity may
still be asked to assist, for example, by:
Monitoring the investigation process to help the organization follow relevant policies and procedures and applicable
laws and statutes.
Locating and/or securing misappropriated or related assets.
Evaluating and monitoring the organization’s internal and external post-investigation reporting and communication
plans and practices.
Monitoring the implementation of recommended control enhancements.

Investigation Policies and Procedures

Management is responsible for developing controls for the investigation process, including policies and procedures for
effective investigations, preserving evidence, handling the results of investigations, reporting, and communications. Such
standards are often documented in a fraud policy; internal auditors may assist in the evaluation of the policy. Such policies
and procedures need to consider the rights of individuals, the qualifications of those authorized to conduct investigations,
and the relevant laws where the fraud occurred. The policies should also consider the extent to which management will
discipline employees, suppliers, or customers, including taking legal measures to recover losses or civil or criminal
prosecution.
It is important for management to clearly define the authority and responsibilities of those involved in the investigation,
especially the relationship between the investigator and legal counsel. It is also important for management to design and
comply with procedures that minimize internal communications about an ongoing investigation, especially in the initial
phases.

The policy needs to specify the investigator’s role in determining whether a fraud has been committed. Either the
investigator or management will decide if fraud has occurred, and management will decide whether the organization will
notify outside authorities. A judgment that fraud has occurred may in some jurisdictions be made only by law enforcement
or judicial authorities. The investigation may simply result in a conclusion that organization policy was violated or that fraud
is likely to have occurred.

Fraud Investigation Process

A fraud investigation consists of gathering sufficient information about specific details and performing the procedures
necessary to determine whether fraud has occurred, the loss or exposures associated with the fraud, who was involved,
and how it happened.

An investigation plan is developed for each investigation, following the organization’s investigation procedures. The lead
investigator determines the knowledge, skills, and other competencies needed to carry out the investigation effectively and
assigns competent, appropriate people to the team who have no potential conflict of interest with those being investigated
or with any of the employees in the organization.

The plan should consider the following investigative activities:

Gathering evidence through surveillance, interviews, or written statements
Documenting and preserving evidence, considering legal rules of evidence and the business uses of the evidence
Determining the extent of the fraud
Determining the techniques used to perpetrate the fraud
Evaluating the cause of the fraud
Identifying the perpetrators

The investigator may conclude at any point that the complaint or suspicion is unfounded. The investigator then follows the
organization’s process to close the case.

Investigation Evidence
The collection and preparation of evidence is critical to understanding the fraud or misconduct, and it is needed to support
the conclusions reached by the investigation team. The investigation team may use computer forensic procedures or data
analysis. All reports, documents, and evidence obtained should be recorded chronologically in an inventory or log. Some
examples of evidence include:
Memos and correspondence, both in hard copy and electronic form (such as emails or information on personal
computers).
Computer files, general ledger postings, etc.
IT or system access records.
Security timekeeping logs, videos, or access badge records.
Internal phone records.
Public or internal customer or vendor information, such as contracts, invoices, and payment information.
Public records, such as business registrations or property records.
Social networking sites.

The level and extent of complicity in the fraud throughout the organization needs to be assessed. This assessment can be
critical to not destroy or taint crucial evidence and to avoid obtaining misleading information from persons who may be
involved.

Interrogations
Generally the accused is interrogated by two people: 1) an experienced investigator and 2) another individual who takes
notes and functions as a witness if needed. It is essential that all information obtained from the interrogation is rendered
correctly.

Investigative activities need to be coordinated with management, legal counsel, and other specialists such as HR and
insurance risk management as appropriate.

Investigators need to be knowledgeable and cognizant of the rights of persons within the scope of the investigation. The
investigator has the responsibility to ensure that the investigation process is handled in a consistent and prudent manner.

Fraud Reporting and Communicating

Reporting and communicating consists of the various oral, written, interim, or final communications to senior management
and/or the board regarding the status and results of fraud investigations.

Communications may include the reason for beginning the investigation, time frames, observations, conclusions,
resolution, and recommendations to improve controls.

Some additional considerations concerning fraud reporting are:

Submitting a draft of the proposed final communications to legal counsel for review.
Notifying senior management and the board in a timely manner when significant fraud or erosion of trust occurs or a
fraud may have a material effect on financial statements (e.g., a previously undiscovered adverse effect on the
organization’s financial position and its operational results for one or more years).

The investigation needs to adequately secure evidence collected, maintaining chain-of-custody procedures appropriate for
the situation.

According to The IIA

Performance Standard 2400, “Communicating Results”
Internal auditors must communicate the results of engagements.

According to The IIA

Performance Standard 2410, “Criteria for Communicating”
Communications must include the engagement’s objectives, scope, and results.

As specified in these standards, distribution of investigation results should be appropriately limited and information should
be treated in a confidential manner. Implementation Guide 2600 notes that information regarding fraud comes under the
category of “highly significant risks that the CAE judges to be beyond the organization’s tolerance level.”

In addition, communication of results should take care to protect internal whistleblowers.

In the case of fraud, local laws may accelerate communication of investigation reports to the board and may require
reporting to local authorities as well.

Resolution
Management and the board (not the internal audit activity or the investigator) are responsible for resolving fraud incidents
once a fraud scheme and perpetrators have been fully investigated and evidence has been reviewed.

When disclosures are voluntary rather than mandatory, management or the board determines whether to inform entities
outside the organization after consultation with legal counsel, HR personnel, and the CAE. The organization may be
required to notify law enforcement, regulators, insurers, bankers, and external auditors of instances of fraud. Any
comments made by management to the press, law enforcement, or other external parties may be coordinated through
legal counsel in accordance with organizational policies.

Internal communications are used by management to reinforce its position relating to integrity, to demonstrate that it takes
appropriate action when organizational policy is violated, and to show why internal controls are important.

Lessons Learned
After the fraud has been investigated and communicated, management and the internal audit activity consider lessons
learned. For example:
How did the fraud occur?
What controls failed?
What controls were overridden?
Why wasn’t the fraud detected earlier?
What red flags were missed by management?
What red flags did internal audit miss?
How can future fraud be prevented or more easily detected?
What controls need strengthening?
What internal audit plans and audit steps need to be enhanced?
What additional training is needed?

These sessions need to stress the importance of acquiring up-to-date information on perpetrators and fraud schemes.

Internal auditors typically assess the facts of investigations and advise management relating to remediation of control
weaknesses that lead to the fraud. Internal auditors may design steps in audit programs or develop “auditing for fraud”
programs to help disclose the existence of similar frauds in the future.

Engagement Fraud Risks

According to The IIA

Implementation Standard 2210.A2 (Assurance Engagements)
Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when
developing the engagement objectives.

To ensure adequate review of the risks relevant to each engagement, internal auditors may conduct a fraud risk
assessment as part of engagement planning. A full fraud risk assessment consists of five key steps:
Identify relevant fraud risk factors.
Identify potential fraud schemes and prioritize them based on risk.
Map existing controls to potential fraud schemes and identify gaps.
Test operating effectiveness of fraud prevention and detection controls.
Document and report the fraud risk assessment.

Note that internal auditors may not conduct a full fraud risk assessment during engagement planning. They may also
consider and discuss fraud risk with senior management or review the organization’s fraud risk assessment, if available,
instead of conducting their own assessment.
Opportunity is the only factor in the fraud triangle that organizations can control directly. Internal auditors should note that
those who engage in fraudulent activities may rationalize fraud not only for their own benefit but also for the benefit of the
organization or an external individual or organization.

Based on the information gathered, internal auditors can begin contemplating potential fraud scenarios and fraud risks
relevant to the area or process under review. Brainstorming fraud scenarios is an effective way to determine the
characteristics and circumstances unique to the specific area or process that may produce opportunities and incentives for
fraud. Internal auditors should brainstorm with individuals diverse in their knowledge, perspective, and relationship to the
area or process under review.

Forensic Auditing Techniques

Forensic investigations and fraud examinations will depend heavily on computer forensics, computer data imaging,
electronic evidence discovery, and the analysis of structured and unstructured data. Some examples of forensic auditing
techniques include the following:
Rules-based descriptive tests and reporting use historical data with simple and complex analytical weighted tests to
identify areas of risk. Alerts will be produced when a specific condition is met.
Keyword search scans free text fields and unstructured data sources to identify suspicious or high-risk language.
Topic modeling uses text analytics to identify suspicious phrases, high-risk topics, or unusual patterns of behavior in
the free text components of data. Beyond keyword searching, topic modeling seeks to cluster, quantify, and group the
key noun or noun phrases in the data, enabling the investigative team to quickly gain an understanding of what
information may have been compromised.
Linguistic analysis also uses text analytics, identifying the emotive tone of the communication. It identifies angry,
frustrated, secretive, harassing, or confused communications.
Pattern and link analysis is a data visualization technique that finds hidden patterns and relationships in vast,
seemingly unrelated data sources.
Bibliography
The following references were used in the development of Part 1 of The IIA’s CIA Challenge Exam Study Guide. Please note that
all website references were valid as of April 2020.

“About the Profession.” The Institute of Internal Auditors, na.theiia.org/about-us/about-ia/Pages/About-the-Profession.aspx.

Adams, Pat, Sally Culter, Bruce McCuaig, Sajay Rai, and James Roth. Sawyer’s Internal Auditing, sixth edition. Lake Mary,
Florida: The Institute of Internal Auditors Research Foundation, 2012.

“All in a Day’s Work: A Look at the Varied Responsibilities of Internal Auditors.” The Institute of Internal Auditors,
na.theiia.org/about-ia/PublicDocuments/06262_All_In_A_Days_Work-Rev.pdf.

American Institute of Certified Public Accountants. “Management Antifraud Programs and Controls.” New York: American Institute
of Certified Public Accountants, Inc., 2002.

Anderson, Urton, and Andrew J. Dahle. Applying the International Professional Practices Framework, fourth edition. Lake Mary,
Florida: The Institute of Internal Auditors, 2018.

Anderson, Urton, and Andrew J. Dahle. Implementing the Professional Practices Framework, second edition. Altamonte Springs,
Florida: The Institute of Internal Auditors, 2006.

Anderson, Urton, and Andrew J. Dahle. Implementing the International Professional Practices Framework, third edition. Altamonte
Springs, Florida: The Institute of Internal Auditors, 2009.

Anderson, Urton, et al. Internal Auditing: Assurance and Advisory Services, fourth edition. Lake Mary, Florida: The Institute of
Internal Auditors, 2017.

“AS/NZS ISO 31000:2009, “Risk Management—Principles and Guidelines.” Standards Australia/Standards New Zealand,
www.standards.govt.nz.

“Assessing the Adequacy of Risk Management Using ISO 31000” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute
of Internal Auditors, 2010.

“Assessing the Risk Management Process” (IPPF Practice Guide). Lake Mary, Florida: The Institute of Internal Auditors, 2019.

Audit Committee Effectiveness—What Works Best, third edition. Altamonte Springs, Florida: The Institute of Internal Auditors,
2005.

“The Audit Committee: Purpose, Process, Professionalism.” The Institute of Internal Auditors,
www.yumpu.com/en/document/view/36619613/the-audit-committee-purpose-process-professionalism.

“Auditing External Business Relationships” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors,
2009.

“Auditing Privacy Risks” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2012.

“Auditing Techniques” course. Altamonte Springs, Florida: The Institute of Internal Auditors.

“Basel III: International Regulatory Framework for Banks.” Bank for International Settlements, www.bis.org/bcbs/basel3.htm?
m=3%7C14%7C572.

Baxter, Ralph. “The Role of Spreadsheets in Today’s Corporate Climate.” ITAudit, Vol. 9, December 2006.

Biegelman, Martin T., and Joel T. Bartow. Executive Roadmap to Fraud Prevention and Internal Control—Creating a Culture of
Compliance. Hoboken, New Jersey: John Wiley and Sons, 2006.

“Business Continuity Management” (Global Technology Audit Guide [GTAG] 10). The Institute of Internal Auditors, 2009.

Chartered Professional Accountants Canada (CPA Canada), www.cpacanada.ca.

“Chief Audit Executives—Appointment, Performance Evaluation, and Termination” (IPPF Practice Guide). Altamonte Springs,
Florida: The Institute of Internal Auditors, 2010.

“COBIT 5: Enabling Processes.” ISACA, www.isaca.org/COBIT/Pages/COBIT-5-Enabling-Processes-product-page.aspx.

“COBIT 2019 Framework: Introduction and Methodology.” Schaumburg, Illinois: ISACA (www.isaca.org), 2018.

Coenen, Tracy L. “The Fraud Files: The True Cost of Fraud.” Wisconsin Law Journal, May 24, 2006.

Committee of Sponsoring Organizations of the Treadway Commission (COSO), www.coso.org.

Committee of Sponsoring Organizations of the Treadway Commission. Enterprise Risk Management—Integrated Framework.
Jersey City, New Jersey: American Institute of Certified Public Accountants, 2004.

Committee of Sponsoring Organizations of the Treadway Commission. Enterprise Risk Management—Integrating with Strategy
and Performance. Jersey City, New Jersey: American Institute of Certified Public Accountants, 2017.

Committee of Sponsoring Organizations of the Treadway Commission. Fraud Risk Management Guide. 2016.

Committee of Sponsoring Organizations of the Treadway Commission. Internal Control—Integrated Framework. Jersey City, New
Jersey: American Institute of Certified Public Accountants, 1994.

Committee of Sponsoring Organizations of the Treadway Commission. Internal Control—Integrated Framework (2013). Jersey
City, New Jersey: American Institute of Certified Public Accountants, 2013.

Committee of Sponsoring Organizations of the Treadway Commission. Internal Control Over Financial Reporting—Guidance for
Smaller Public Companies. Jersey City, New Jersey: American Institute of Certified Public Accountants, 2006.

“Continuous Auditing: Coordinating Continuous Auditing and Monitoring to Provide Continuous Assurance, 2nd Edition” (Global
Technology Audit Guide [GTAG] 3). The Institute of Internal Auditors, 2015.

“Coordinating Risk Management and Assurance” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal
Auditors, 2012.

“Corporate Governance: A Practical Guide.” London Stock Exchange, www.ecgi.org/codes/documents/rsmi_lse_guide2004.pdf,

2004.

Corporate Governance and the Board—What Works Best. Altamonte Springs, Florida: The Institute of Internal Auditors, 2000.

“Corporate Governance Principles and Recommendations with 2010 Amendments.” ASX Corporate Governance Council,
www.asx.com.au/documents/asx-compliance/cg_principles_recommendations_with_2010_amendments.pdf.

“Corporate Social Responsibility: Opportunities for Internal Audit” course. Altamonte Springs, Florida: The Institute of Internal
Auditors.

Daft, Richard L., and Dorothy Marcic. Understanding Management, tenth edition. Boston, Massachusetts: Cengage Learning,
2015.

“Demonstrating the Core Principles for the Professional Practice of Internal Auditing” (IPPF Practice Guide). Lake Mary, Florida:
The Institute of Internal Auditors, 2019.

Directory of Software Products for Internal Auditors. Altamonte Springs, Florida: The Institute of Internal Auditors, 2010.

Elkington, John. Cannibals with Forks: Triple Bottom Line of 21st Century Business. Stony Creek, Connecticut: New Society
Publishers, 1998.

“Engagement Planning: Assessing Fraud Risks” (IPPF Practice Guide). Lake Mary, Florida: The Institute of Internal Auditors, 2017.

“Enterprise Risk Management: What’s New? What’s Next” seminar. Altamonte Springs, Florida: The Institute of Internal Auditors.

“Environmental, Health, and Safety Guidelines.” International Finance Corporation,

www.ifc.org/wps/wcm/connect/topics_ext_content/ifc_external_corporate_site/sustainability-at-ifc/policies-standards/ehs-
guidelines.

“Evaluating Corporate Social Responsibility/Sustainable Development” (IPPF Practice Guide). Altamonte Springs, Florida: The
Institute of Internal Auditors, 2010.

Financial Reporting Council (FRC), www.frc.org.uk/Home.aspx.

“Formulating and Expressing Internal Audit Opinions” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal
Auditors, 2009.

Fraser, John, and Hugh Lindsay. 20 Questions Directors Should Ask About Internal Audit. Toronto, Ontario: The Canadian Institute
of Chartered Accountants, 2004.

Fraud Examiners Manual, 2003 edition. Austin, Texas: Association of Certified Fraud Examiners, 2003.

“Frequently Asked Questions,” The Institute of Internal Auditors, na.theiia.org/about-us/about-ia/Pages/Frequently-Asked-

Questions.aspx.

Frigo, Mark L. A Balanced Scorecard Framework for Internal Auditing Departments. Altamonte Springs, Florida: The Institute of
Internal Auditors Research Foundation, 2002.
Galloway, David. Internal Auditing: A Guide for the New Auditor, second edition. Altamonte Springs, Florida: The Institute of
Internal Auditors, 2002.

Global Reporting Initiative, www.globalreporting.org.

Glover, Hubert D., and James C. Flag. Effective Fraud Detection and Prevention Techniques Practice Set. Altamonte Springs,
Florida: The Institute of Internal Auditors, 1993.

Gray, Glen L. Changing Internal Audit Practices in the New Paradigm: The Sarbanes-Oxley Environment. Altamonte Springs,
Florida: The Institute of Internal Auditors, 2004.

“Guidance on Risk Management, Internal Control and Related Financial Business Reporting.” Financial Reporting Council, 2014.

Hubbard, Larry. Control Self-Assessment: A Practical Guide. Altamonte Springs, Florida: The Institute of Internal Auditors, 2000.

Hutton, David W. The Change Agents’ Handbook. Milwaukee, Wisconsin: ASQ Quality Press, 1994.

“The IIA’s Global Internal Audit Competency Framework.” Altamonte Springs, Florida: The Institute of Internal Auditors, 2013.

“The IIA’s Three Lines Model: An Update of the Three Lines of Defense.” Lake Mary, Florida: The Institute of Internal Auditors,
2020.

“IIA Position Paper on Resourcing Alternatives for the Internal Audit Function.” Altamonte Springs, Florida: The Institute of Internal
Auditors.

“Independence and Objectivity” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2011.

“Information Technology Risks and Controls, 2nd Edition” (Global Technology Audit Guide [GTAG] 1). The Institute of Internal
Auditors, 2012.

Institute of Chartered Accountants in England and Wales (ICAEW), www.icaew.com.

The Institute of Directors in Southern Africa (IoDSA), www.iodsa.co.za. The Institute of Internal Auditors, www.theiia.org.

“Integrated Auditing” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2012.

“Interaction with the Board” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2011.

Internal Audit Foundation. Sawyer’s Internal Auditing, seventh edition. Lake Mary, Florida: Internal Audit Foundation, 2019.

Internal Audit Reporting Relationships: Serving Two Masters. Altamonte Springs, Florida: The Institute of Internal Auditors, 2003.

“Internal Auditing and Fraud” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal Auditors, 2009.

International Professional Practices Framework (IPPF), 2017 Edition. Lake Mary, Florida: The Institute of Internal Auditors, 2017.

“International Standards for the Professional Practice of Internal Auditing (Standards),” na.theiia.org/standards-
guidance/mandatory-guidance/Pages/Standards.aspx.

“Interpersonal Skills—Abilities Needed to Interact With Others Effectively.” The Institute of Internal Auditors. (As of April 2018, this
publication is suppressed.)

ISO 14001:2015, “Environmental Management Systems.” ISO, www.iso.org/standard/60857.html.

ISO 26000:2010, “Guidance on Social Responsibility.” ISO, www.iso.org/standard/42546.html.

ISO 31000:2018, “Risk Management—Guidelines.” ISO, www.iso.org/standard/65694.html.

ISO 31010:2009, “Risk Management—Risk Assessment Techniques.” ISO, www.iso.org/standard/51073.html.

ISO Guide 73:2009, “Risk Management—Vocabulary.” ISO, www.iso.org/standard/44651.html.

Jerskey, Pamela. “Automated Workpapers Made Easy.” Keith, Jonnie T. “Killing the Spider.” Internal Auditor, April 2005.

“King IV Report,” Institute of Directors of Southern Africa. www.iodsa.co.za/page/KingIVReport, 2016.

“The Laws That Govern the Securities Industry—Sarbanes-Oxley Act of 2002.” Securities and Exchange Commission,
www.sec.gov/about/laws.shtml.

Mainardi, Robert L. Harnessing the Power of Continuous Auditing: Developing and Implementing a Practical Methodology.
Hoboken, New Jersey: John Wiley, 2011.

“Managing and Auditing IT Vulnerabilities” (Global Technology Audit Guide [GTAG] 6). The Institute of Internal Auditors.
“Managing the Business Risk of Fraud, A Practical Guide.” The Institute of Internal Auditors, the American Institute of Certified
Public Accountants, and the Association of Certified Fraud Examiners, 2008, global.theiia.org/standards-
guidance/Public%20Documents/fraud%20paper.pdf.

Marcella, Albert J., Jr., and Carol Stucki. Privacy Handbook. Hoboken, New Jersey: John Wiley and Sons, 2003.

Marks, Norman. “Auditing Governance Processes.” Internal Auditor (Ia), February 2012.

Mautz, Robert K. Internal Control in U.S. Corporations: The State of the Art. New York: Financial Executives Research Foundation,
1980.

McNamee, David. Business Risk Assessment. Altamonte Springs, Florida: The Institute of Internal Auditors, 2005.

McNamee, David. “Risk Management and Risk Assessment.” Pleier Corporation, www.pleier.com/rmra.htm.

“Measuring Internal Audit Effectiveness and Efficiency” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal
Auditors, 2010.

Miccolis, Jerry A., Kevin Hively, and Brian W. Merkley. Enterprise Risk Management: Trends and Emerging Practices. Altamonte
Springs, Florida: The Institute of Internal Auditors, 2001.

“Model Internal Audit Activity Charter.” The Institute of Internal Auditors, global.theiia.org/standards-guidance/recommended-
guidance/Pages/Model-Internal-Audit-Activity-Charter.aspx.

“OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.” Organisation for Economic Co-operation
and Development, www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html.

Operational Auditing. Altamonte Springs, Florida: The Institute of Internal Auditors, 2006.

“The Path to Quality.” The Institute of Internal Auditors, na.theiia.org/services/quality/Public_Documents/Path to Quality.pdf.

Pickett, K. H. Spencer, and Jennifer M. Pickett. The Internal Auditing Handbook, second edition. West Sussex, England: John
Wiley and Sons, 2003.

“Practical Considerations Regarding Internal Auditing Expressing an Opinion on Internal Control.” The Institute of Internal Auditors,
2005.

PriceWaterhouseCoopers. Audit Committee Effectiveness—What Works Best, third edition. Altamonte Springs, Florida: The
Institute of Internal Auditors, 2005.

PriceWaterhouseCoopers. Corporate Governance and the Board—What Works Best. Altamonte Springs, Florida: The Institute of
Internal Auditors, 2000.

Privacy Rights Clearinghouse, www.privacyrights.org.

Quality Assessment Manual for the Internal Audit Activity, 2017 IPPF Aligned. Lake Mary, Florida: Internal Audit Foundation, 2017.

Quality Assessment Manual, fifth edition. Altamonte Springs, Florida: The Institute of Internal Auditors, 2006.

“Quality Assurance and Improvement Program” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of Internal
Auditors, 2012.

Reding, Kurt F., Paul J. Sobel, Urton L. Anderson, Michael J. Head, Sri Ramamoorti, Mark Salamasick, and Cris Riddle. Internal
Auditing: Assurance and Consulting Services. Altamonte Springs, Florida: The Institute of Internal Auditors Research Foundation,
2007.

“Reliance by Internal Audit on Other Assurance Providers” (IPPF Practice Guide). Altamonte Springs, Florida: The Institute of
Internal Auditors, 2011.

“Report to the Nations: 2018 Global Study on Occupational Fraud and Abuse.” Association of Certified Fraud Examiners,
www.acfe.com/report-to-the-nations/2018/.

“Revised Guidance for Directors on the Combined Code.” Financial Reporting Council, www.ecgi.org/codes/documents/frc_ic.pdf.

Rife, Randal. “Planning for Success.” Internal Auditor (Ia), October 2006.

“Risk Assessment in Practice.” COSO, www2.deloitte.com/content/dam/Deloitte/global/Documents/Governance-Risk-

Compliance/dttl-grc-riskassessmentinpractice.pdf, 2012.

“The Role of Internal Auditing in Enterprise-Wide Risk Management.” The Institute of Internal Auditors, global.theiia.org/standards-
guidance/Public%20Documents/PP%20The%20Role%20of%20Internal%20Auditing%20in%20Enterprise%20Risk%20Manageme
nt.pdf, 2009.
Roth, James. Control Model Implementation: Best Practices. Altamonte Springs, Florida: The Institute of Internal Auditors, 1997.

Sawyer, Lawrence B., Mortimer A. Dittenhofer, and James H. Scheiner. Sawyer’s Internal Auditing, fifth edition. Altamonte Springs,
Florida: The Institute of Internal Auditors, 2005.

Sawyer, Lawrence B., Mortimer A. Dittenhofer, and James H. Scheiner. Sawyer’s Internal Auditing—Instructor’s Guide. Altamonte
Springs, Florida: The Institute of Internal Auditors, 2003.

Sobel, Paul. “Internal Auditing’s Role in Risk Management.” bookstore.theiia.org/internal-auditings-role-in-risk-management, March

2011.

Steinberg, Richard M., and Deborah Pojunis. “Corporate Governance: The New Frontier.” Internal Auditor (Ia), December 2000.

“The Three Lines of Defense in Effective Risk Management and Control.” Altamonte Springs, Florida: The Institute of Internal
Auditors, 2013.

Verschoor, Curtis C. Audit Committee Briefing: Understanding the 21st Century Audit Committee and Its Governance Roles.
Altamonte Springs, Florida: The Institute of Internal Auditors, 2000.

Verschoor, Curtis C. Governance Update 2003: Impact of New Initiatives on Audit Committees and Internal Auditors. Altamonte
Springs, Florida: The Institute of Internal Auditors, 2003.

“What Is COBIT 5?” ISACA, www.isaca.org/COBIT/Pages/default.aspx.

Index
A
assets
improper valuation [1]
auditing [1]
auditors [1]
audit plan [1]
authority of internal audit activity [1]

B
balanced scorecard [1]

C
codes of conduct [1]
Committee of Sponsoring Organizations frameworks
Enterprise Risk Management—Integrating with Strategy and Performance [1]
concealed liabilities [1]
conduct, codes of [1]
control(s) [1]
control environment [1] , [2]
Core Principles for the Professional Practice of Internal Auditing [1]
COSO frameworks
Enterprise Risk Management—Integrating with Strategy and Performance [1]
culture [1] , [2]

D
Definition of Internal Auditing [1]
disclosures [1]

E
effectiveness [1]
efficiency [1]
enterprise risk management [1] , [3]
See also: risk
environmental red flags [1]
EQAs (external quality assessments) [1]
ERM (enterprise risk management) [1] , [3]
See also: risk
ethics [1] , [2]
external auditing [1]
external auditors [1]
external quality assessments [1]

F
fictitious revenues [1]
financial statement red flags [1]
forensic auditing [1]
fraud
awareness [1]
fraud:motive [1]
fraud:opportunity [1]
fraud:rationalization [1]
red flags [1]
risk assessment [1]
risks [1]
training [1]
triangle [1]

G
Global Technology Audit Guide, “Auditing IT Governance” [1]
governance
information technology [1]
principles [1]
GTAG (Global Technology Audit Guide), “Auditing IT Governance” [1]

H
heat maps [1]

I
impact of risk [1]
improper asset valuation [1]
improper disclosures [1]
independence [1]
industry-specific red flags [1]
information technology governance [1]
internal auditing [1]
internal auditors [1]
internal quality assessments [1]
International Organization for Standardization, ISO 31000, “Risk management—Guidelines” [1]
International Professional Practices Framework
Core Principles for the Professional Practice of Internal Auditing [1]
Definition of Internal Auditing [1]
Mission of Internal Audit [1]
Standards
See: International Standards for the Professional Practice of Internal Auditing
International Standards for the Professional Practice of Internal Auditing
1000, “Purpose, Authority, and Responsibility” [1]
1210.A2 [1]
1300, “Quality Assurance and Improvement Program” [1]
1310, “Requirements of the Quality Assurance and Improvement Program” [1]
1311, “Internal Assessments” [1] , [2]
1312, “External Assessments” [1]
1322, “Disclosure of Nonconformance” [1]
 2010, “Planning” [1]
2010.A1 [1]
2060, “Reporting to Senior Management and the Board” [1]
2110, “Governance” [1] , [2]
2110.A2 [1]
2120, “Risk Management” [1]
2120.A1 [1]
2210.A2 [1]
ISO 31000, “Risk management—Guidelines” [1]

K
King Report on Corporate Governance [1]

L
liabilities, concealed [1]
likelihood of risk [1]

M
maturity model approach to assessing risk management [1]
Mission of Internal Audit [1]
motive, and fraud [1]

N
nonconformance [1]

O
objectivity [1]
opportunity, and fraud [1]

P
perpetrator red flags [1]
Practice Guides
“Auditing Culture” [1]
“Measuring Internal Audit Effectiveness and Efficiency” [1]
purpose of internal audit activity [1]

R
rationalization, and fraud [1]
red flags of fraud [1]
responsibility of internal audit activity [1]
risk
assessment [1] , [2]
categorization [1]
fraud [1]
heat maps [1]
identification [1]
impact [1]
likelihood [1]
 management [1]
rating [1]
reporting [1]
responses [1]
risk-based audit plan [1]

S
SAIVs (self-assessments with independent external validation) [1]
scope [1]
self-assessments [1]
self-assessments with independent external validation [1]
Standards
See: International Standards for the Professional Practice of Internal Auditing

T
Three Lines Model [1]

V
values [1]