Part 2 B – 1 V3.0 THE IIA’S CIA LEARNING SYSTEM TM 1.Conduct assurance engagements 2.Conduct consulting engagements Section Topics 1a.Fraud

Part 2 B – 1V3.0

THE IIA’S CIA LEARNING SYSTEMTM

www.LearnCia.com

1. Conduct assurance engagements

2. Conduct consulting engagements

Section Topics

1a. Fraud audits1b. Control self-assessments1c. External business relationship audits1d. Quality audit engagements1e. Due diligence audit engagements1f. Security audit engagements

1g. Privacy audit engagements1h. Performance audit

engagements1i. Operational (efficiency and

effectiveness) audit engagements

1j. Financial audit engagements1k. Information technology (IT)

audit engagements1l. Compliance audit

engagements

Part 2, Section B

Part 2 B – 2V3.0


www.LearnCia.com

What are the distinguishing features of assurance engagements?

Discussion Question

Answer:• Involve the internal auditor’s objective assessment of

evidence to provide independent opinion or conclusions regarding a process, system, or other subject matter.

• Nature and scope of engagement are determined by the internal auditor.

• Generally involves three parties (process owners, internal auditor, and users).

Part 2, Section B, Topic 1

Part 2 B – 3V3.0


www.LearnCia.com

• Principle 1: A fraud risk management program should be in place.

• Principle 2: Fraud risk exposure should be assessed periodically.

• Principle 3: Prevention techniques to avoid potential key fraud risk events should be established.

• Principle 4: Detection techniques should be established.

• Principle 5: A reporting process should be in place, and a coordinated approach to investigation and corrective action should be used.

Five Principles to Manage Fraud Risk

Part 2, Section B, Topic 1a

Part 2 B – 4V3.0


www.LearnCia.com

Control Self-Assessment (CSA)

Self-assessment workshops

Broader Approach

Senior IA facilitators

Increased honesty += Commitment to

improve+

Part 2, Section B, Topic 1b

Part 2 B – 5V3.0


www.LearnCia.com

Responsibilities and Roles

Setting business objectives

Traditionally With CSAResponsibilities

Assessing risks

Objectives used

Adequacy of internal controls

Validating evaluation of risks and controls

Evaluating risks and controls

Reporting

Auditors

Auditors

Management Management

Management

Management

Management’s

Management

Management

Audit’s

Auditors

Work teams

Work teams

Auditors

Source: Control Self-Assessment: A Practical Guide by Larry Hubbard.


Part 2 B – 6V3.0


www.LearnCia.com

Workshop Categories

Objective-basedBest way to accomplish a business objective

Category Focus

Process-based

Risk-based

Control-based

Adequacy of controls to mitigate roadblocks to achieving objective

Analysis, revision, or verification of process effectiveness

How well controls are working in light of management’s intent


Part 2 B – 7V3.0


www.LearnCia.com

What are some factors to consider when developing a CSA questionnaire?

Discussion Question

• Use one topic per question.

• Put easy-to-answer questions first.

• Use words clear in meaning to recipients (use their language).

• Keep it short and simple.

• Address questionnaire in personal manner.

• Personally distribute and collect survey.

• Use in interview conversation.

Sample answer:

Source: Control Self-Assessment: A Practical Guide by Larry Hubbard.


Part 2 B – 8V3.0


www.LearnCia.com

• Management questionnaire to support opinion on required controls

• Discussion among senior financial managers to support annual letter required by external accountants

• Investigation into reasons for control breakdown or fraud

• Review of control implications of a new system or combination of units

What are some examples of the management-produced analyses type of CSA?

Discussion Question

Form of CSA covering most other approaches by management groups to produce information about selected business processes, risk management activities, and control procedures. Often intended to reach an informed and timely judgment about specific characteristics of control procedures and commonly prepared by a team in a staff or support role.

Sample answer:


Part 2 B – 9V3.0


www.LearnCia.com

What range of roles can the internal auditor play in CSA?

Discussion Question

Answer:

Minimal involvement as an interested party, consultant, or verifier.

Intense involvement as sponsor, designer, training administrator, process owner.


Part 2 B – 10V3.0


www.LearnCia.com

What are some outcomes that can result from CSA?

Discussion Question

Sample answers:• Assessment and control of risks to achieve business objectives

• Identification and evaluation of soft controls

• Sense of owning controls that leads to timely, effective corrections

• Monitoring and improving objectives-risks-controls infrastructure

• IA involvement in and knowledge about the CSA (from involvement as a facilitator, scribe, and reporter)

• IA activity’s information about the organization’s controlsleading to more effective allocation of audit resources

• Management’s responsibility for risk management and controls

• Continuation of IA activity’s primary role in validating evaluationprocess


Part 2 B – 11V3.0


www.LearnCia.com

When might each of the following types of contracts be used most effectively?

Unit-price

Cost-plus

3

2

1 Lump-sum

Sample answer: Contractor is delivering a great many identical products or services.

Sample answer: Work involves many unknown factors.

Sample answer: Work is not complicated and is likely to be completed as agreed-upon.

Contract Type Most Effective Use

Discussion Question

Part 2, Section B, Topic 1c

Part 2 B – 12V3.0


www.LearnCia.com

Discussion Question

Unit-price

Cost-plus

3

2

1 Lump-sum

Sample answer: Inaccurate reporting of number of units completed and inaccurate or unwarranted pricing of units.

Sample answer: Lack of incentive for contractor to look for best price for products and labor or otherwise contain costs.

Sample answer: Complex challenges may lead to scope creep, with additional costs to hiring organization.

Contract Type Examples of Risk

What are some risks of each contract type?

Part 2, Section B, Topic 1c

Part 2 B – 13V3.0


www.LearnCia.com

Some Quality Audit Outcomes

• Recognize risks.• Prevent or rectify costs of poor quality.• Identify areas for continuous improvement.• Assess quality of staff training.• Verify compliance with the organization’s

processes, regulations, and laws.• Eliminate waste (unnecessary activities,

controls, etc.).

Part 2, Section B, Topic 1d

Part 2 B – 14V3.0


www.LearnCia.com

Discussion QuestionDefine each of the following in regard to due diligence.

Sample answer: To ensure that a proposed action will enhance value and not involve liabilities

By whom?

When?

Why?

What? Sample answer: Investigation of a person, a business, or a financial transaction

Sample answer: Generally carried out by internal and external auditors and lawyers

Sample answer: Most often in connection with real estate purchases and financial transactions

Part 2, Section B, Topic 1e

Part 2 B – 15V3.0


www.LearnCia.com

Due Diligence Audit Engagement Report

Cancel—the liabilities can’t be removed at a reasonable cost.

Adjust price to reflect audit findings (usually negative).

No problems discovered—continue with the deal.

Correct a problem—there is an issue but it can be resolved.

Adjust price

Back out

Go ahead

Fix problem

Based upon the engagement report, senior management may decide to:

Part 2, Section B, Topic 1e

Part 2 B – 16V3.0


www.LearnCia.com

Security Audit Engagements

Safeguarding of assets

Focus primarily focus on risk assessment, controls, and governance in regard to

Reliability/integrity of information

Part 2, Section B, Topic 1f

Part 2 B – 17V3.0


www.LearnCia.com

Access Controls


• Magnetic access cards

• Biometric access systems

• Physical barriers

• Access-granting procedures and passwords

• Monitoring

Part 2 B – 18V3.0


www.LearnCia.com

Discussion QuestionWhat are some reasons data might be lost, and what is internal audit’s responsibility in regard to data storage?

Sample answer: Mislabeling, mishandling, repeated use, magnetic disruption, natural disasters

IA’s role in protecting data

Reasons for data loss

Sample answer: Labels, tape/disk/file management systems, adequate disk space, backups, storage sites, temperature and humidity, file name conventions


Part 2 B – 19V3.0


www.LearnCia.com

Discussion Question

What are some examples of privacy according to PA 2130.A1-2?

Sample answer: • Personal (physical and psychological) privacy• Privacy of space (no surveillance)• Privacy of communication• Privacy of personal information

Part 2, Section B, Topic 1g

Part 2 B – 20V3.0


www.LearnCia.com

Privacy Audit Considerations

It’s th

e

law!

PA

2130

.A1-

2

• EU Directive on Data Protection

• EU E-Privacy Directive

• Canadian Personal Information Protection and Electronic Documents Act

• US Health Insurance Portability and Accountability Act of 1996

• What personal/private information is the organization collecting? Is it appropriate to collect such information?

• What collection methods are used?

• Is the information used appropriately?

Part 2, Section B, Topic 1g

Part 2 B – 21V3.0


www.LearnCia.com

Key Performance Indicators (KPIs)

Quantity

Quality

Cost

Timeliness

Capital

Revenue

Units per day/week

Number of returns

Material costs/unit

Schedules, project completion

Return on investment

Monetary value of sales

Typical measureKPI

Part 2, Section B, Topic 1h

Part 2 B – 22V3.0


www.LearnCia.com

Discussion Question

Sample answer:• Does the organization have KPIs?

• Do the KPIs measure success?

• Do the KPIs work for the employees (human factor)?

• Are measurements made at the right time in the process?

• Are the measures used effectively to find and fix deficiencies?

What are some questions the internal auditor should answer in a performance audit?

Part 2, Section B, Topic 1h

Part 2 B – 23V3.0


www.LearnCia.com

Elements of an Operational Audit

• Consider more than traditional concerns with financial statements.

• Review policies, procedures, and systems.• Consider quality of management.• Examine use of resources to achieve goals

while safeguarding assets.• Look at the “soft controls” such as “tone at

the top.”

Part 2, Section B, Topic 1i

Part 2 B – 24V3.0


www.LearnCia.com

Financial Audits

External audit focus Internal audit focus

Internal controlsFin

anci

al

stat

emen

ts

Goal:Ensure adherence to controls

on financial activities.

Part 2, Section B, Topic 1j

Part 2 B – 25V3.0


www.LearnCia.com

Impact of Sarbanes-Oxley Act

Impact upon

Public company’s:

Specific impact

Persons with similar functions

Executive officers They have reviewed the reports and believe they

are true, complete, and not misleading.

Requirement to certify in quarterly and annual reports:

They are responsible for setting up and maintaining “disclosure controls and procedures.”

Whether significant changes may have affected internal controls since the last evaluation.

They have, collectively, disclosed control deficiencies and fraud at high levels.

Financial officers


Part 2 B – 26V3.0


www.LearnCia.com

What are some best practices internal auditors can employ to assist in compliance with the Sarbanes-Oxley Act?

Discussion Question

Sample answer: Proper documentation of policies, controls; quarterly checklists of procedures and key controls; standardized control reports; management self-assessments; review of draft regulatory filings; process maps; follow-upreports on outstanding items.


Part 2 B – 27V3.0


www.LearnCia.com

Match the role on the left with letter of the correct player.

Provide assurance that financial reports are fair representations of the organization’s condition in accordance with GAAP.

Provide assurance to management and the board that financial reporting processes are governed by effective controls.

PlayerRole

A. Executive management

C. External auditor

C

Discussion Question

Own the control environment. B. Internal auditorA

B


Answer:

Part 2 B – 28V3.0


www.LearnCia.com

Internal Audit Assessment of Internal Control Environment

Financial reporting process

Strong monitoring?Effective control system? Risk identification

and management?

Strong ethical

environment?

Oversight by audit

committee


Part 2 B – 29V3.0


www.LearnCia.com

IT Audit Engagements

Hardware (mainframes, PCs, laptops)

Virus protection/ firewalls

Operating systems (Windows, Linux, Unix, Mac OS)

Change or version control (when IS system changes)

Software (word processors, spreadsheets, databases)

Part 2, Section B, Topic 1k

IT project management

Part 2 B – 30V3.0


www.LearnCia.com

Discussion Question

What are some areas of hardware and operating system exposure for the internal auditor to review?

Sample answer:

• Is there downtime for hardware problems or OS crashes?

• Is hardware sufficient for business needs (enough power, right balance of PCs and laptops)?

• Is the OS appropriate for hardware, network, user needs, and business objectives?

• Are there upgrade plans?


Part 2 B – 31V3.0


www.LearnCia.com

Discussion Question

What is the internal auditor’s role in software application development?

Sample answer:

Review feasibility and system study to assure that team has the right people, control deficiencies are remedied, system can grow, budget is reasonable, and users agree to change.


Part 2 B – 32V3.0


www.LearnCia.com

End-user Computing

• Commercial backup software.• Encryption of stored data.• Security “cards.”• Master software on all department PCs.• Strong manual controls when PCs

process transactions.

Safeguards available to control risk in end-user computing include:


Part 2 B – 33V3.0


www.LearnCia.com

Discussion Question

Risks include dropped or corrupted data, downtime, eavesdropping, slow response, fraudulent messages inserted by wiretapping.

Safeguards include message sequencing,encryption, self-checking algorithms,network-monitoring software, auto dial-back,dedicated lines, restart/recovery procedures.

What are some of the risks and controls related to telephone transmission of voice and data?

Sample answer:


Part 2 B – 34V3.0


www.LearnCia.com

Discussion Question

What are “hot,” “warm,” and “cold” sites?

Fully equipped site ready for immediate use in emergencies

Cold site

Warm site

Hot site

Site with cooling, electrical hookups, servers, and storage; availablefor use in 48 hours

Site with utilities but no equipment; requires days or weeks to activate

Answer:


Part 2 B – 35V3.0


www.LearnCia.com

Discussion QuestionWhat are some things the internal auditor should look for when auditing for ability to cope with IS disruption?Sample answer:

• How well the organization can function after disaster.• Definition of critical applications.• Existence of disaster plan providing for:

– All types of disasters (fire, flood, etc.).– Currency of plan and testing.– Availability of well-equipped backup sites.


Part 2 B – 36V3.0


www.LearnCia.com

How’s the “tone at the top”?

How are the interfaces?

Are goals and objectives achievable?

Are risks acceptable?

How is the information flow?

Is the business continuity and disaster recovery plan in place and adequate?

E-Commerce


Part 2 B – 37V3.0


www.LearnCia.com

Discussion QuestionWhat are some things the internal audit activity can do to help ensure information protection?

Sample answer: Ensure:


• Management recognizes this responsibility.

• The information security function cannot be breached.

• Management is aware of any faulty security provisions.

• Corrective measures are taken to resolve any/all information security problems.

• Preventive, detective, and mitigative measures are in place to ensure information security.

Part 2 B – 38V3.0


www.LearnCia.com

Enterprise-wide Resource Planning

ER P“I don’t want to change; I like the system we have!”

“Is it efficient?”— “I can’t tell; it’s too complicated!”

“Look at this training schedule. Glad I’m not paying for it!”

Some concerns Auditor’s role

Develop a detailed understanding of the system and modules.

Evaluate tech environment, including complexity and efficiency.

Decide if it’s a legacy system.


Part 2 B – 39V3.0


www.LearnCia.com

Discussion Question

What are some benefits to organizations of having an effective compliance program?

Sample answer:

Effective compliance programs can identify and discourage violations, detect illegal activities, assist in proving insurance claims, and enhance and create organizationalidentity.

Part 2, Section B, Topic 1l

Part 2 B – 40V3.0


www.LearnCia.com

Elements of a Compliance Program

• Compliance standards and procedures, including written policies that clearly identify required and prohibited activities

• Organization chart that identifies persons responsible for compliance programs

• Oversight of compliance programs by high-level personnel

• Communication of standards and procedures to all personnel and effective “tone at the top” governance

• “Hot lines” with no reprisal for reporting

• Monitoring and auditing

• Adequate discipline and follow-up to prevent future violations


Part 2 B – 41V3.0


www.LearnCia.com

Environmental Compliance Audits

EH&S Audits

Environmental management

systems

Regulatory compliance

Due diligence on land purchasesHazardous

substances tracking

Waste and pollution

minimization

Environmental liability accrual

Production processes


Part 2 B – 42V3.0


www.LearnCia.com

CAE Responsibilities

Typical report structure

EH&S executive

EH&S audit activity

• Work with chief environmental officer.• Schedule periodic EH&S audits.• Evaluate EH&S auditor compliance

with regulations and ethics code.• Evaluate environmental audit

function placement and independence.

CAE should:


Part 2 B – 43V3.0


www.LearnCia.com

Reinforcing Activity 2-4Part 2, Section B, Topics 1h, 1i, 1j, 1l

Conduct Assurance Engagements

and

Reinforcing Activity 2-5Part 2, Section B, Topic 1k

Conduct IT AssuranceEngagements

Part 2, Section B, Topics 1h, 1i, 1j, 1k, 1l

Part 2 B – 44V3.0


www.LearnCia.com

Relationship of Consulting and Assurance

• Both are defined in the IPPF Glossary.• Consulting and assurance are not mutually

exclusive.• Consulting engagements often derive from

assurance engagements.• Are requested due to the implementation of

new products or services.


Part 2 B – 45V3.0


www.LearnCia.com

Discussion Question

Sample answer: Services provided in consulting engagements may include counsel, advice, facilitation, and training.

What are some services the internal auditor may provide in a consulting engagement?


Part 2 B – 46V3.0


www.LearnCia.com

Discussion Question

What are some examples of consulting engagements that the internal auditor might appropriately conduct?

Sample answer:• Internal control training in elements of the COSO

framework

• Evaluation of client’s benchmarks

• Systems development life-cycle review

• Design of performance measures such as balanced scorecards


Part 2 B – 47V3.0


www.LearnCia.com

Reinforcing Activity 2-6Part 2, Section B, Topic 2

Conduct Consulting Engagements

and

Reinforcing Activity 2-7Part 2, Section B, Topic 2

IT and SystemsDevelopment


Part 2 B – 48V3.0


www.LearnCia.com

End of Section B

Questions?

Part 2, Section B