The document outlines a CIA exam review course covering internal auditing principles, including mandatory guidance, independence, and control frameworks, as well as procedures for conducting audits. It emphasizes the importance of risk management, internal control systems, ethical conduct, and the role of internal auditors in ensuring organizational effectiveness and compliance. Additionally, it touches on evidence gathering, sampling methods, and various statistical approaches relevant to internal auditing.

1. CIA exam review course
Prepared by Jack Davidsz
www.mas-online.nl
1

2. 1. Mandatory Guidance
2. Independence, Objectivity and Due Care
3. Control Frameworks and Fraud
4. Control: Types and Techniques
5. Data Gathering and Data Analysis
6. Conducting the Engagement: Sampling
7. Procedures, Analysis, Conclusions and
Documentation.
2

3. Study Unit 1
3

4. Evolved from a function concerned with financial and
accounting matters to one that addresses the entire
range of operating activities.
4

5. Internal auditing is an independent, objective
assurance and consulting activity designed to add
value and improve an organization’s operations.
It helps an organization accomplish its objectives by
bringing a systematic and disciplined approach to
evaluate and improve the effectiveness of the
organization’s risk management, control, and
governance processes.
IIA Board of Directors, June 1999.
5

6. 1000 Purpose, Authority and Responsibility
1100 Independence and Objectivity
1200 Proficiency and Due Professional Care
1300 Quality Assurance and Improvement Program
6

7. 2000 Managing the Internal Audit Activity
2100 Nature of Work
2200 Engagement Planning
2300 Performing the Engagement
2400 Communicating Results
2500 Monitoring Progress
2600 Management’s Acceptance of Risk
7

8. 8

9. An organization´s code of ethics is the established
general value system the organization wishes to apply
to its members´ activities.
9

10. Code of Ethics
•Principles
•Rules of Conduct
10

11. 1. Integrity
2. Objectivity
3. Confidentiality
4. Competency
HOW ?
11

12. Work with honesty, diligence and responsibility
Observe the law and make disclosures
Be not a party to any illegal activity
Respect the ethical objectives of the organization
12

13. Do not participate in any activity that may impair
unbiased assessment
Do not accept anything that may impair professional
judgment
Disclose all material facts
13

14. Be prudent in the use and protection of information
Do not use information for any personal gain
14

15. Knowledge, skills, and experience
Perform in accordance with the Standards
Continually improve services
15

16. 16

17. To enhance and protect organizational value by
providing risk-based and objective assurance,
advice, and insight.
17

18. 1. Demonstrates integrity.
2. Demonstrates competence and due professional care.
3. Is objective and free from undue influence
4. Aligns with the strategies, objectives, and risks of the
organization.
5. Is appropriately positioned and adequately resourced.
6. Demonstrates quality and continuous improvement.
7. Communicates effectively.
8. Provides risk-based assurance.
9. Is insightful, proactive, and future-focused.
10.Promotes organizational improvement
18

19. Implementation Guidance/Practice Advisories
Supplemental Guidance/Practice Guides
19

20. Mission and Scope of work
Accountability
Independence
Responsibility
Authority
20

21. Study Unit 2
21

22. Functional,
Directly to the Audit Committee or equivalent to ensure
independence and communication
Administrative,
To the CEO or an other executive to afford support to
accomplish day-to-day activities.
22

23. Any relationship that is, or appears to be, not in the best
interest of the organization
Internal Auditor’s Objectivity
?
23

24. Advisory and related client service activities, the nature
and scope of which are agreed upon with the client and
which are intended to add value and improve an
organization’s operations.
24

25. Assurance Services
> 1 year
Formal consulting engagement
Independence and objectivity are strengthened by
Assigning different auditors
Independent management and supervision
Separate accountability for the projects
Disclosing the presumed impairment
25

26. Due Professional care
Expected of a reasonably prudent and competent
internal auditor, who should be alert to the possibility
of intentional wrongdoing, errors and omissions,
inefficiency, waste, ineffectiveness, and conflicts of
interest
Due care implies
Reasonable care and competence not infallibility or
extraordinary performance.
26

27. Oversight and responsibility for the IAA must not be
outsourced
Services must be performed in accordance with the
standards and the guidance for obtaining external
service providers should be considered (PA 1210).
27

28. CAE should assess the competency, independence and
objectivity of the outside service provider.
When the outside service provider performs Internal
Auditing activities the CAE should specify and ensure
that the work complies with the SPPIA.
28

29. Quality Assurance and Improvement
Program covers all aspects of the IAA and continuously
monitors its effectiveness.
Should help the IAA add value and improve the
organization’s operations and provide assurance that
the IAA is in conformity with the Standards and Code
of Ethics.
29

30. Ongoing Reviews
Periodic Reviews
30

31. Should be conducted at least once every five years by a
qualified independent reviewer from outside the
organization
Self assessment with independent, external validation is
an alternative to full external assessment
31

32. Be a competent certified audit professional, who
possesses current knowledge of the Standards
Be well versed in the best practices of the profession
Have at least three years of recent experience in the
practice of internal auditing
32

33. Nonconformance with the Definition of IA, Code of
Ethics or Standards should be disclosed by the CAE to
senior management and Board
33

34. Study Unit 3
34

35. 35

36. Internal Control (COSO)
A process, effected by an entity’s Board of Directors,
management and other personnel, designed to provide
reasonable assurance regarding the achievement of
objectives in the following categories:
36

37. Internal Control
- continued
Effectiveness and efficiency of operations;
Reliability of financial reporting;
Compliance with applicable laws and regulations;
Safeguarding of assets against unauthorized
acquisition, use or disposition.
37

38. Components of the Internal
Control System
•Control Environment CE
•Risk Assessment RA
•Control Activities CA
•Information and Communication IC
•Monitoring MO
38

39. Control Baseline
Change Identification
Change Management
Control Revalidation
39

40. 40

41. 20 criteria grouped into the following 4 components
Purpose
Commitment
Capability
Monitoring and Learning
41

42. CoCo : ethical values, mutual trust
COSO : part of the control environment
42

43. 43

44. 1. Meeting stakeholders needs
◦ Realization of benefits
◦ Optimization of risk
◦ Optimal use of resources.
44

45. 2. Covering the Enterprise End to End. IT governance
must be integrated with enterprise governance.
45

46. 3. Applying a Single, Integrated Framework.
46

47. 4. Enabling a Holistic Approach
◦ Principles, policies, frameworks
◦ Processes
◦ Organizational structures
◦ Culture, ethics and behavior
◦ Information
◦ Services, infrastructure, and application
◦ People, skills and competencies.
47

48. 5. Separating Governance from Management.
48

49. Framework for evaluating the
e-business control environment
49

50. 50

51. Process ..
Applied in strategy setting and across..
Designed to identify potential events..
Manage risks..
To provide reasonable assurance..
Achievement of entity objectives
51

52. 52

53. 1. Risk Avoidence
2. Risk Retention
3. Risk Reduction
4. Risk Sharing
5. Risk Exploitation
53

54. A structured, consistent and continuous process across
the whole organization for identifiying, assessing,
deciding on responses to and reporting on opportunities
and threats that affect the achievements of objectives
54

55. CAE should obtain an understanding of management’s
and board’s expectations of the internal audit activity in
the organization’s risk management process.
55

56. Objectives support and align with the mission.
Significant risks are identified and assessed.
Appropriate risk responses are selected that align
risks with the organization´s risk appetite
Relevant risk information is captured and
communicated in a timely manner across the
organization, enabling staff, management and board
to carry out their responsibilties.
56

57. Formal ↔ informal
Quantitative ↔ subjective
Business unit ↔ at corporate level
57

58. Internal auditors can facilitate or enable risk
management processes, but they should not “own” or
be responsible for the management of the risks
identified.
58

59. No role
Auditing the risk management process
Active, continuous support and involvement
Managing and coordinating
59

60. Setting the risk appetite
Imposing risk management processes
Management assurance on risks
Taking decisions on risk responses
Implementing risk responses on management’s behalf
Accountability for risk management.
60

61. Audit failure
False assurance
Reputation risks
MANAGE YOUR RISKS!
61

62. 62
Any illegal act characterized by deceit, conceilment,
or violation of trust.
These acts are not dependent upon the threat or
violence or physical force.
Perpetrated by parties and organizations to obtain
money, property or services to avoid payment or loss
of services or to secure advantage.
62

63. 63
Pressure or incentive
Opportunity
Rationalization
63

64. Internal auditors are responsible for assisting in the
deterrence of fraud by examining and evaluating the
adequacy and the effectiveness of control,
commensurate with the extent of the potential
exposure/risk in the various segments of the entity’s
operations.
64

65. Responsibilities of the internal auditor
Have sufficient knowledge of fraud to be able to
identify indicators
Be alert to opportunities, such as control weaknesses
Evaluate the indicators that fraud might have been
committed
Notify the appropriate authorities within the
organization if there are sufficient indicators to
recommend an investigation.
65

66. 6666
Examples:
Lack of employee rotation in sensitive positions
Inappropriate combination of job duties
Unclear lines of responsibility and accountability
Unrealistic sales or production goals
Employee who refuses to take vacations

67. Study Unit 4
67

68. Any action taken by management to enhance the
likelihood that established objectives and goals will
be achieved
Preventive
Detective
Directive
Mitigating
68

69. Input Process Output
Feedback
Feed forward
System boundary
69

70. Feedback
Concurrent
Feed forward
70

71. Improvements in IT
Reductions in cost
Popularity of reengineering
Downsizing
71

72. 1. Authorization of transaction
2. Recording of transaction
3. Custody of the asset
72

73. Transaction trails
Uniform processing
Segregation of Functions
Potential for Errors and Fraud
Potential for Increased Management Supervision
Initiation or Subsequent Execution of Transactions by
Computer
Dependence of Controls in Other Areas on Controls
over Computer Processing
73

74. 74

75. 75

76. Sales – Receivables
Collection of Cash
Purchases – Payables
Payment of cash
Payment of employees – allocation of cost
76

77. The employment of all the means devised in an
enterprise to promote, direct, restrain, govern, and
check upon its various activities for the purpose of
seeing that enterprise objectives are met. These means
of control include, but are not limited to, form of
organization, policies, systems, procedures,
instructions, standards, committees, charts of accounts,
forecasts, budgets, schedules, reports, records,
checklists, methods, devices, and internal auditing.
77

78. Organization
Policies
Procedures
Personnel
Accounting
Budgeting
Reporting
78

79. Study Unit 5
79

80. 80
1. Physical evidence
2. Testimonial evidence
3. Documentary evidence
- Internal
- External
4. Analytic evidence

81. 81
Sufficient
Reliable
Relevant
Useful

82. 82
Objectivity
Documentation
Externality
Sample size
Sampling method
Corroboration
Timeliness
Authoritativeness
Directness
Adequacy of controls

83. Input from client
Analytic Procedures
Prior Audit Reports
Process Mapping
Checklists
Documentation and Communication of Results
83

84. Questionnaires
Interviewing
Observation
Checklists
Internal Surveys
External Datasources
84

85. Study Unit 6
85

86. 86
Learning a great deal by looking at a little.
Tasting a spoonful from the pot.
Taking blood tests.

87. 87
Population
Nothing precise in sampling
Confidence level – degree of assurance
Precision – the range
“Point estimates” vs. “range estimates”
Reliability
Variability and effect on sample size
Standard deviation – bell curve
Standard error
Sampling and non-sampling risks

88. 88
Descriptive
statistics
Statistics
Probability
theory
Inferential
statistics

89. 89
Discrete variables
1. Uniform distribution: All outcomes are equally likely
(coins).
2. Binomial distribution: Only 2 possible outcomes (quality
control)
Formula: n! x pr(1-p)n-r
r!(n-r)!

90. 90
3. Bernoulli distribution: only 1 trial ↔ binomial as many as
necessary.
4. Hypergeometric distribution: = binomial sampling without
replacement.
5. Poisson distribution: event may happen more than once with
random frequency during a given period.
Formula: f(k) = λke-λ λ = mean and variance
k! k = number of
occurences

91. 91
Continuous variables
1. Normal distribution

92. 92
Distance in standard
Deviations
Area under the curve
<confidence coefficient> <confidence level>
1.0 68%
1.64 90%
1.96 95%
2.57 99%

93. 93
Regardless of the distribution of the population from
which random samples are drawn, the shape of the
sampling distribution of the mean approaches the
normal distribution as the sample size is increased.

94. 94
Probability of zero occurences in a time period T.
For the exponential distribution, M is used instead
of λ → P = e –m (k=0)

95. 95
3. T-distribution
Small samples, less than 30 with unknown variance.
4. Chi-square distribution: comparison of sample variance
and population variance. Is the sample likely to be from the
population.

96. 96
1. Judgment (non statistical sampling)
2. Statistical sampling
Test of controls
(attribute sampling)
Substantive testing
(variables sampling)
Sampling risk: probability that a properly
drawn sample may not represent the
population.

97. 97
A. Attribute Sampling B. Variables Sampling
Discovery sampling Mean per unit sampling
Stop or go sampling Difference estimation
Acceptance sampling Ratio estimation
Probability-proportional
To size (PPS) (or DUS)

98. 98
1. Mean per unit sampling
Audit values of the sample x N = population value estimated
n
-/- population value real
Precision

99. 99
2. Difference estimation
Audit -/- book values for items in the sample
Add the differences
Calculate mean difference
Multiply the mean by N → Population
Misstatement

100. 100
3. Ratio estimation
Book value of the population
x
∑Audit value of sample items
∑Book value of these sample item
→
Population misstatement
4. PPS = DUS

101. Amounts
Modified version of attribute sampling, relates error rates to
amounts.
Sampling unit
Dollar, Pound, Euro etc.
Stratification
Because the larger account balances have a greater chance of
being selected.
101

102. 102
Overstatements
It is good to test for overstatements, not effective for
estimating understatement errors. Testing of account balances:
inventory, receivables, loans.
Few errors
Useful if few errors are expected
As the number of expected misstatements increases, MUS
requires a larger sample size than classical variables sampling.

103. 103
1. Define audit objectives
2. Define population:
- Noting distributional or systematic patterns
- What type of items included
- Time period
- Population size
3. Determine sampling method
4. Determine the desired precision
= maximum acceptable error rate

104. 104
5. Determine the desired reliability
= confidence level
6. Calculate the sample size
7. Judge the significance of the discovered errors
Conclusions about the population

105. 105
Precision = interval estimator =
confidence interval = prediction interval

106. 106
Incorporates sample mean, population standard deviation
+ probability that the interval includes the true population
parameter
For the population mean this interval is
x ± z (6:√n)
Standard error of the mean

107. 107
Type I error = α
Type II error = β

108. 108
Statistical
Non statistical

109. 109
The end result of sampling
More than just the numbers
Affected by various factors
- Nature of system of control
- Views on administration.
- Views on training and experience of people
- Effect of erroneous transactions
- Effect on other transactions

110. 110
Use scientific sampling when they best fit the audit
objectives
Base audit opinions only on the population sampled
Let every item have an equal chance of being selected
Do not let personal bias affect the sample
Do not permit population patterns affect the
randomness of the sample

111. 111
Do not draw conclusions about the entire population
from a directed sample
Base estimates of maximum error rates on what is
reasonable
Stratify wherever it would appear to reduce
variability in the sample
Do not set needlessly high confidence and precision
levels
Do not stop with statistical results, know why the
variances occurred.

112. Study Unit 7
11
2

113. 113
Comparing information with
expectations identified or developed by
the internal auditor

114. These procedures may identify
Unexpected differences
Absence of expected differences
Potential errors, fraud, or illegal acts
Other unusual or nonrecurring transactions or events
114

115. Entails analysis and measurement of key output against
those of the best organizations.
Own process performance versus performance by the
best in the class.
115

116. 11
6
Inspection of records
Inspection of tangible assets
Observation
Inquiry
Confirmation
Recomputing
Reperformance
Analytical procedure, scanning

117. Conclusion and opinions are the internal auditor’s
evaluations of the effects of the observations and
recommendations on the activities reviewed.
117

118. Input from client
Analytic Procedures
Prior Audit Reports
Process Mapping
Checklists
Documentation and Communication of Results
118

119. 119
Probe deeply for the fundamental causes of identified
problems

120. 120
be prepared by the Internal
Auditor and reviewed by
management of the IAA.
record the information obtained
and the analysis made.
support the bases for
observations and
recommendations to be reported.

121. 121
Members of the organization or outside parties may
request access to working papers.
Internal auditors are encouraged to consult legal
counsel in all matters involving legal issues.

122. 122
Property of the organization
Under control of the IAA
Access subject to approval of CAE or senior
management/legal counsel (outside the organization)

123. 123
Properly protected
Locked files
Reviews in the IAA’s office
Passwords
Backup + storage off-site
Retrievability
Maintain at least 7 years (SOX)

124. 124
1. Interviews
2. Questionnaires
3. Flowcharts
4. Generalized audit software
5. Other audit software
6. Code review
7. Test data
8. Code comparison
9. Concurrent audit techniques

125. 125
Integrated Test Facility (ITF)
Snapshot
Tracing
Embedded Audit Module
System Control Audit Review File (SCARF)
Sample Audit Review File (SARF)

126. © Management Audit Services 2017 126