Upload
drusilla-bell
View
217
Download
2
Tags:
Embed Size (px)
Citation preview
Part 2 B – 1V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
1. Conduct assurance engagements
2. Conduct consulting engagements
Section Topics
1a. Fraud audits1b. Control self-assessments1c. External business relationship audits1d. Quality audit engagements1e. Due diligence audit engagements1f. Security audit engagements
1g. Privacy audit engagements1h. Performance audit
engagements1i. Operational (efficiency and
effectiveness) audit engagements
1j. Financial audit engagements1k. Information technology (IT)
audit engagements1l. Compliance audit
engagements
Part 2, Section B
Part 2 B – 2V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
What are the distinguishing features of assurance engagements?
Discussion Question
Answer:• Involve the internal auditor’s objective assessment of
evidence to provide independent opinion or conclusions regarding a process, system, or other subject matter.
• Nature and scope of engagement are determined by the internal auditor.
• Generally involves three parties (process owners, internal auditor, and users).
Part 2, Section B, Topic 1
Part 2 B – 3V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Principle 1: A fraud risk management program should be in place.
• Principle 2: Fraud risk exposure should be assessed periodically.
• Principle 3: Prevention techniques to avoid potential key fraud risk events should be established.
• Principle 4: Detection techniques should be established.
• Principle 5: A reporting process should be in place, and a coordinated approach to investigation and corrective action should be used.
Five Principles to Manage Fraud Risk
Part 2, Section B, Topic 1a
Part 2 B – 4V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Control Self-Assessment (CSA)
Self-assessment workshops
Broader Approach
Senior IA facilitators
Increased honesty += Commitment to
improve+
Part 2, Section B, Topic 1b
Part 2 B – 5V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Responsibilities and Roles
Setting business objectives
Traditionally With CSAResponsibilities
Assessing risks
Objectives used
Adequacy of internal controls
Validating evaluation of risks and controls
Evaluating risks and controls
Reporting
Auditors
Auditors
Management Management
Management
Management
Management’s
Management
Management
Audit’s
Auditors
Work teams
Work teams
Auditors
Source: Control Self-Assessment: A Practical Guide by Larry Hubbard.
Part 2, Section B, Topic 1b
Part 2 B – 6V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Workshop Categories
Objective-basedBest way to accomplish a business objective
Category Focus
Process-based
Risk-based
Control-based
Adequacy of controls to mitigate roadblocks to achieving objective
Analysis, revision, or verification of process effectiveness
How well controls are working in light of management’s intent
Part 2, Section B, Topic 1b
Part 2 B – 7V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
What are some factors to consider when developing a CSA questionnaire?
Discussion Question
• Use one topic per question.
• Put easy-to-answer questions first.
• Use words clear in meaning to recipients (use their language).
• Keep it short and simple.
• Address questionnaire in personal manner.
• Personally distribute and collect survey.
• Use in interview conversation.
Sample answer:
Source: Control Self-Assessment: A Practical Guide by Larry Hubbard.
Part 2, Section B, Topic 1b
Part 2 B – 8V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
• Management questionnaire to support opinion on required controls
• Discussion among senior financial managers to support annual letter required by external accountants
• Investigation into reasons for control breakdown or fraud
• Review of control implications of a new system or combination of units
What are some examples of the management-produced analyses type of CSA?
Discussion Question
Form of CSA covering most other approaches by management groups to produce information about selected business processes, risk management activities, and control procedures. Often intended to reach an informed and timely judgment about specific characteristics of control procedures and commonly prepared by a team in a staff or support role.
Sample answer:
Part 2, Section B, Topic 1b
Part 2 B – 9V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
What range of roles can the internal auditor play in CSA?
Discussion Question
Answer:
Minimal involvement as an interested party, consultant, or verifier.
Intense involvement as sponsor, designer, training administrator, process owner.
Part 2, Section B, Topic 1b
Part 2 B – 10V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
What are some outcomes that can result from CSA?
Discussion Question
Sample answers:• Assessment and control of risks to achieve business objectives
• Identification and evaluation of soft controls
• Sense of owning controls that leads to timely, effective corrections
• Monitoring and improving objectives-risks-controls infrastructure
• IA involvement in and knowledge about the CSA (from involvement as a facilitator, scribe, and reporter)
• IA activity’s information about the organization’s controlsleading to more effective allocation of audit resources
• Management’s responsibility for risk management and controls
• Continuation of IA activity’s primary role in validating evaluationprocess
Part 2, Section B, Topic 1b
Part 2 B – 11V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
When might each of the following types of contracts be used most effectively?
Unit-price
Cost-plus
3
2
1 Lump-sum
Sample answer: Contractor is delivering a great many identical products or services.
Sample answer: Work involves many unknown factors.
Sample answer: Work is not complicated and is likely to be completed as agreed-upon.
Contract Type Most Effective Use
Discussion Question
Part 2, Section B, Topic 1c
Part 2 B – 12V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Discussion Question
Unit-price
Cost-plus
3
2
1 Lump-sum
Sample answer: Inaccurate reporting of number of units completed and inaccurate or unwarranted pricing of units.
Sample answer: Lack of incentive for contractor to look for best price for products and labor or otherwise contain costs.
Sample answer: Complex challenges may lead to scope creep, with additional costs to hiring organization.
Contract Type Examples of Risk
What are some risks of each contract type?
Part 2, Section B, Topic 1c
Part 2 B – 13V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Some Quality Audit Outcomes
• Recognize risks.• Prevent or rectify costs of poor quality.• Identify areas for continuous improvement.• Assess quality of staff training.• Verify compliance with the organization’s
processes, regulations, and laws.• Eliminate waste (unnecessary activities,
controls, etc.).
Part 2, Section B, Topic 1d
Part 2 B – 14V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Discussion QuestionDefine each of the following in regard to due diligence.
Sample answer: To ensure that a proposed action will enhance value and not involve liabilities
By whom?
When?
Why?
What? Sample answer: Investigation of a person, a business, or a financial transaction
Sample answer: Generally carried out by internal and external auditors and lawyers
Sample answer: Most often in connection with real estate purchases and financial transactions
Part 2, Section B, Topic 1e
Part 2 B – 15V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Due Diligence Audit Engagement Report
Cancel—the liabilities can’t be removed at a reasonable cost.
Adjust price to reflect audit findings (usually negative).
No problems discovered—continue with the deal.
Correct a problem—there is an issue but it can be resolved.
Adjust price
Back out
Go ahead
Fix problem
Based upon the engagement report, senior management may decide to:
Part 2, Section B, Topic 1e
Part 2 B – 16V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Security Audit Engagements
Safeguarding of assets
Focus primarily focus on risk assessment, controls, and governance in regard to
Reliability/integrity of information
Part 2, Section B, Topic 1f
Part 2 B – 17V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Access Controls
Part 2, Section B, Topic 1f
• Magnetic access cards
• Biometric access systems
• Physical barriers
• Access-granting procedures and passwords
• Monitoring
Part 2 B – 18V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Discussion QuestionWhat are some reasons data might be lost, and what is internal audit’s responsibility in regard to data storage?
Sample answer: Mislabeling, mishandling, repeated use, magnetic disruption, natural disasters
IA’s role in protecting data
Reasons for data loss
Sample answer: Labels, tape/disk/file management systems, adequate disk space, backups, storage sites, temperature and humidity, file name conventions
Part 2, Section B, Topic 1f
Part 2 B – 19V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Discussion Question
What are some examples of privacy according to PA 2130.A1-2?
Sample answer: • Personal (physical and psychological) privacy• Privacy of space (no surveillance)• Privacy of communication• Privacy of personal information
Part 2, Section B, Topic 1g
Part 2 B – 20V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Privacy Audit Considerations
It’s th
e
law!
PA
2130
.A1-
2
• EU Directive on Data Protection
• EU E-Privacy Directive
• Canadian Personal Information Protection and Electronic Documents Act
• US Health Insurance Portability and Accountability Act of 1996
• What personal/private information is the organization collecting? Is it appropriate to collect such information?
• What collection methods are used?
• Is the information used appropriately?
Part 2, Section B, Topic 1g
Part 2 B – 21V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Key Performance Indicators (KPIs)
Quantity
Quality
Cost
Timeliness
Capital
Revenue
Units per day/week
Number of returns
Material costs/unit
Schedules, project completion
Return on investment
Monetary value of sales
Typical measureKPI
Part 2, Section B, Topic 1h
Part 2 B – 22V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Discussion Question
Sample answer:• Does the organization have KPIs?
• Do the KPIs measure success?
• Do the KPIs work for the employees (human factor)?
• Are measurements made at the right time in the process?
• Are the measures used effectively to find and fix deficiencies?
What are some questions the internal auditor should answer in a performance audit?
Part 2, Section B, Topic 1h
Part 2 B – 23V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Elements of an Operational Audit
• Consider more than traditional concerns with financial statements.
• Review policies, procedures, and systems.• Consider quality of management.• Examine use of resources to achieve goals
while safeguarding assets.• Look at the “soft controls” such as “tone at
the top.”
Part 2, Section B, Topic 1i
Part 2 B – 24V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Financial Audits
External audit focus Internal audit focus
Internal controlsFin
anci
al
stat
emen
ts
Goal:Ensure adherence to controls
on financial activities.
Part 2, Section B, Topic 1j
Part 2 B – 25V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Impact of Sarbanes-Oxley Act
Impact upon
Public company’s:
Specific impact
Persons with similar functions
Executive officers They have reviewed the reports and believe they
are true, complete, and not misleading.
Requirement to certify in quarterly and annual reports:
They are responsible for setting up and maintaining “disclosure controls and procedures.”
Whether significant changes may have affected internal controls since the last evaluation.
They have, collectively, disclosed control deficiencies and fraud at high levels.
Financial officers
Part 2, Section B, Topic 1j
Part 2 B – 26V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
What are some best practices internal auditors can employ to assist in compliance with the Sarbanes-Oxley Act?
Discussion Question
Sample answer: Proper documentation of policies, controls; quarterly checklists of procedures and key controls; standardized control reports; management self-assessments; review of draft regulatory filings; process maps; follow-upreports on outstanding items.
Part 2, Section B, Topic 1j
Part 2 B – 27V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Match the role on the left with letter of the correct player.
Provide assurance that financial reports are fair representations of the organization’s condition in accordance with GAAP.
Provide assurance to management and the board that financial reporting processes are governed by effective controls.
PlayerRole
A. Executive management
C. External auditor
C
Discussion Question
Own the control environment. B. Internal auditorA
B
Part 2, Section B, Topic 1j
Answer:
Part 2 B – 28V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Internal Audit Assessment of Internal Control Environment
Financial reporting process
Strong monitoring?Effective control system? Risk identification
and management?
Strong ethical
environment?
Oversight by audit
committee
Part 2, Section B, Topic 1j
Part 2 B – 29V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
IT Audit Engagements
Hardware (mainframes, PCs, laptops)
Virus protection/ firewalls
Operating systems (Windows, Linux, Unix, Mac OS)
Change or version control (when IS system changes)
Software (word processors, spreadsheets, databases)
Part 2, Section B, Topic 1k
IT project management
Part 2 B – 30V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Discussion Question
What are some areas of hardware and operating system exposure for the internal auditor to review?
Sample answer:
• Is there downtime for hardware problems or OS crashes?
• Is hardware sufficient for business needs (enough power, right balance of PCs and laptops)?
• Is the OS appropriate for hardware, network, user needs, and business objectives?
• Are there upgrade plans?
Part 2, Section B, Topic 1k
Part 2 B – 31V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Discussion Question
What is the internal auditor’s role in software application development?
Sample answer:
Review feasibility and system study to assure that team has the right people, control deficiencies are remedied, system can grow, budget is reasonable, and users agree to change.
Part 2, Section B, Topic 1k
Part 2 B – 32V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
End-user Computing
• Commercial backup software.• Encryption of stored data.• Security “cards.”• Master software on all department PCs.• Strong manual controls when PCs
process transactions.
Safeguards available to control risk in end-user computing include:
Part 2, Section B, Topic 1k
Part 2 B – 33V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Discussion Question
Risks include dropped or corrupted data, downtime, eavesdropping, slow response, fraudulent messages inserted by wiretapping.
Safeguards include message sequencing,encryption, self-checking algorithms,network-monitoring software, auto dial-back,dedicated lines, restart/recovery procedures.
What are some of the risks and controls related to telephone transmission of voice and data?
Sample answer:
Part 2, Section B, Topic 1k
Part 2 B – 34V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Discussion Question
What are “hot,” “warm,” and “cold” sites?
Fully equipped site ready for immediate use in emergencies
Cold site
Warm site
Hot site
Site with cooling, electrical hookups, servers, and storage; availablefor use in 48 hours
Site with utilities but no equipment; requires days or weeks to activate
Answer:
Part 2, Section B, Topic 1k
Part 2 B – 35V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Discussion QuestionWhat are some things the internal auditor should look for when auditing for ability to cope with IS disruption?Sample answer:
• How well the organization can function after disaster.• Definition of critical applications.• Existence of disaster plan providing for:
– All types of disasters (fire, flood, etc.).– Currency of plan and testing.– Availability of well-equipped backup sites.
Part 2, Section B, Topic 1k
Part 2 B – 36V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
How’s the “tone at the top”?
How are the interfaces?
Are goals and objectives achievable?
Are risks acceptable?
How is the information flow?
Is the business continuity and disaster recovery plan in place and adequate?
E-Commerce
Part 2, Section B, Topic 1k
Part 2 B – 37V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Discussion QuestionWhat are some things the internal audit activity can do to help ensure information protection?
Sample answer: Ensure:
Part 2, Section B, Topic 1k
• Management recognizes this responsibility.
• The information security function cannot be breached.
• Management is aware of any faulty security provisions.
• Corrective measures are taken to resolve any/all information security problems.
• Preventive, detective, and mitigative measures are in place to ensure information security.
Part 2 B – 38V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Enterprise-wide Resource Planning
ER P“I don’t want to change; I like the system we have!”
“Is it efficient?”— “I can’t tell; it’s too complicated!”
“Look at this training schedule. Glad I’m not paying for it!”
Some concerns Auditor’s role
Develop a detailed understanding of the system and modules.
Evaluate tech environment, including complexity and efficiency.
Decide if it’s a legacy system.
Part 2, Section B, Topic 1k
Part 2 B – 39V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Discussion Question
What are some benefits to organizations of having an effective compliance program?
Sample answer:
Effective compliance programs can identify and discourage violations, detect illegal activities, assist in proving insurance claims, and enhance and create organizationalidentity.
Part 2, Section B, Topic 1l
Part 2 B – 40V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Elements of a Compliance Program
• Compliance standards and procedures, including written policies that clearly identify required and prohibited activities
• Organization chart that identifies persons responsible for compliance programs
• Oversight of compliance programs by high-level personnel
• Communication of standards and procedures to all personnel and effective “tone at the top” governance
• “Hot lines” with no reprisal for reporting
• Monitoring and auditing
• Adequate discipline and follow-up to prevent future violations
Part 2, Section B, Topic 1l
Part 2 B – 41V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Environmental Compliance Audits
EH&S Audits
Environmental management
systems
Regulatory compliance
Due diligence on land purchasesHazardous
substances tracking
Waste and pollution
minimization
Environmental liability accrual
Production processes
Part 2, Section B, Topic 1l
Part 2 B – 42V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
CAE Responsibilities
Typical report structure
EH&S executive
EH&S audit activity
• Work with chief environmental officer.• Schedule periodic EH&S audits.• Evaluate EH&S auditor compliance
with regulations and ethics code.• Evaluate environmental audit
function placement and independence.
CAE should:
Part 2, Section B, Topic 1l
Part 2 B – 43V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Reinforcing Activity 2-4Part 2, Section B, Topics 1h, 1i, 1j, 1l
Conduct Assurance Engagements
and
Reinforcing Activity 2-5Part 2, Section B, Topic 1k
Conduct IT AssuranceEngagements
Part 2, Section B, Topics 1h, 1i, 1j, 1k, 1l
Part 2 B – 44V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Relationship of Consulting and Assurance
• Both are defined in the IPPF Glossary.• Consulting and assurance are not mutually
exclusive.• Consulting engagements often derive from
assurance engagements.• Are requested due to the implementation of
new products or services.
Part 2, Section B, Topic 2
Part 2 B – 45V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Discussion Question
Sample answer: Services provided in consulting engagements may include counsel, advice, facilitation, and training.
What are some services the internal auditor may provide in a consulting engagement?
Part 2, Section B, Topic 2
Part 2 B – 46V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Discussion Question
What are some examples of consulting engagements that the internal auditor might appropriately conduct?
Sample answer:• Internal control training in elements of the COSO
framework
• Evaluation of client’s benchmarks
• Systems development life-cycle review
• Design of performance measures such as balanced scorecards
Part 2, Section B, Topic 2
Part 2 B – 47V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
Reinforcing Activity 2-6Part 2, Section B, Topic 2
Conduct Consulting Engagements
and
Reinforcing Activity 2-7Part 2, Section B, Topic 2
IT and SystemsDevelopment
Part 2, Section B, Topic 2
Part 2 B – 48V3.0
THE IIA’S CIA LEARNING SYSTEMTM
www.LearnCia.com
End of Section B
Questions?
Part 2, Section B