Wiley Cia Exam Review Edited
Wiley Cia Exam Review Edited
Wiley Cia Exam Review Edited
Although each organization is different in some respects, 5 Internal Control Interrelated Components
certain types of employee behavior can be expected in all 1. Control Environment
organizations. The contents of a code of conduct are 2. Risk Assessment
divided into 3 groups: 3. Control Activities
(1) mandatory (those items that should always appear in 4. Information and Communication
a code-of-conduct document), 5. Monitoring.
(2) strongly suggested, and
(3) desirable. Factors that determine what is appropriate Tiered Approach to Audits
for each specific code are based on a complete When there is a conflict between the choices, the COSO-
understanding of the business and corporate culture. based approach should not override the risk-based
approach to audits. Self-assessment questionnaires,
IIA’S PERFORMANCE STANDARDS which are soft controls, can be applied at any
Nature of Work organizational level (first tier). The second tier is the
The internal audit activity should evaluate and contribute activity level (e.g., process, subprocess, function, or
to the improvement of risk management, control, and department). Hard controls, such as documenting and
governance processes using a systematic and disciplined testing control activities, are evaluated during the second
approach (IIA Standard 2100). tier. The best approach is analytical, starting from
objectives, and then identifying risks and controls,
Risk Management evaluating the design of the controls, and testing control
• The internal audit activity should assist the effectiveness.
organization by identifying and evaluating significant
exposures to risk and contributing to the improvement Relationship of Internal Control Objectives and
of risk management and control systems (IIA Components
Standard 2110). direct relationship between objectives, which
• The internal audit activity should monitor and evaluate are what an entity strives to achieve, and the components,
the effectiveness of the organization’s risk which represent what is needed to achieve the objectives.
management system (IIA Standard 2110.A1). Information is needed for all three objective categories—
• The internal audit activity should evaluate risk to effectively manage business operations, to prepare
exposures relating to the organization’s governance, financial statements reliably, and to deter- mine
operations, and information systems (IIA Standard compliance. All five components are applicable and
2110.A2). important to achievement of operations objectives. Each
• During consulting engagements, internal auditors component cuts across and applies to all three objectives
should address risk consistent with the engagement’s categories.
objectives and be alert to the existence of other
significant risks (IIA Standard 2110.C1). Responsibility for Internal Control
• Internal auditors should incorporate knowledge of Who is responsible for establishing and ensuring an
risks gained from consulting engagements into the adequate and effective internal control environment within
process of identifying and evaluating significant risk the organization? It is the management, the audit
exposures of the organization (IIA Standard committee, and the board of directors—not the auditors.
2110.C2). Auditors are responsible for ensuring an adequate and
effective system of internal control in the organization.
CORPORATE GOVERNANCE According to the COSO study, everyone in an
refers to the method by which a firm is being organization has responsibility for internal control:
governed, directed, administered, or controlled and to the management, board of directors, internal auditors, and
goals for which it is being governed. It is concerned with other personnel.
the relative roles, rights, and accountability of such
stakeholder groups as owners, boards of directors, COSO’s Internal Control Standards Summary
managers, employees, and others who assert to be
stakeholders. Standard 1: Control Environment
1. Integrity and ethical values
Corporate Governance Principles and Issues 2. Commitment to competence
• Components of corporate governance. 3. Management’s philosophy and operating style
• Roles of four major groups. 4. Organizational structure
• Separation of ownership from control. 5. Assignment of authority and responsibility
• Role of the board of directors. 6. Human resources policies and practices
• Need for board independence. 7. Oversight groups
• Issues surrounding compensation. Major issues
Standard 2: Risk Assessment
include CEO compensation and outside director
1. Risk identification
compensation.
2. Risk analysis
• Consequences of merger, acquisition, and takeover
3. Managing risk during change
wave.
Standard 3: Control Activities • Up-front planning and preliminary audit work
1. Types of control activities • Gathering of process owners with a meeting
2. Integration with risk assessment facilitator
3. Control over information systems • Structured agenda to examine the process’s risks
4. Entity-specific control activities and controls
• Note-taker and electronic voting technology to
Standard 4: Information and Communication input comments and opinions
1. Information • Reporting the results and the development of
2. Communications corrective action plans
3. Means of communicating
Scope of CSA
Standard 5: Monitoring CSA can be done either as a standalone project or as a
1. Ongoing monitoring activities supplement to traditional audit work. CSA is not suit- able
2. Separate evaluations to situations such as finding fraud or compliance reviews
3. Internal reporting of deficiencies (e.g., regulatory audits), or when participants have
conflicting objectives, as in third-party contracts. CSA can
Limitations of Internal Control be applied to numerous situations, business issues, and
• Internal control—even effective internal control— industries, regardless of size. It is a management tool that
operates at different levels with respect to different has equal application to horizontal (organization-wide),
objectives. For objectives related to the effectiveness vertical (single department), or diagonal (process
and efficiency of an entity’s operations—achievement inquiries) issues.
of its basic mission, profitability goals, and the like—
internal control can help to ensure that management Effect on Auditors
is aware of the entity’s progress, or lack of it. But it CSA can be used to assess business and financial
cannot provide even reasonable assurance that the statement risks, control activities, ethical values, and
objectives themselves will be achieved. The first set control effectiveness; the controls that mitigate those
of limitations acknowledges that certain events or risks; and overall compliance with policies and
conditions are simply outside management’s control. procedures.
• Internal control cannot provide absolute assurance
with respect to any of the three objectives categories. Interrelationships between CSA, CoCo, and COSO
The second set of limitations has to do with the reality CSA can be an effective tool for accomplishing the
that no system will always do what it is intended to do. objectives of both CoCo and COSO. CSA acts as a link to
The best that can be expected in any internal control the CoCo and COSO.
system is that reasonable assurance is obtained.
Cadbury Report—United Kingdom
Criteria of Control (CoCo)—Canada The Cadbury Report of the committee on the financial
The Canadian Institute of Chartered Accountants (CICA) aspects of corporate governance consists of internal
has issued 20 “criteria of control” (CoCo) as a frame- work controls, fraud, audit (internal and external), financial
for making judgments about control. The term “control” reporting practices, audit committees, shareholders,
has a broader meaning than internal control over financial corporate governance, the board of directors, and the
reporting. CoCo defines control as “those elements of an code of best practice.
organization (including its resources, sys- tems, The external auditors’ role is to report whether the
processes, culture, structure, and tasks) that, taken financial statements give a true and fair view, and the
together, support people in the achievement of the audit is designed to provide a reasonable assurance that
organization’s objectives.” It defines three categories of the financial statements are free of material
objectives: effectiveness and efficiency of operations; misstatements. The auditors’ role is not (to cite a few of
reliability of internal and external reporting; and the misunderstandings) to prepare the financial
compliance with applicable laws, regulations, and internal statements, or to provide absolute assurance that the
policies. figures in the financial statements are correct, or to
provide a guarantee that the company will continue to
exist.
CoCo Defines Four Types of Criteria: Purpose,
Commitment, Capability, and Monitoring and Turnbull Model—United Kingdom
Learning The London Stock Exchange has developed a Combined
The purpose type groups criteria that provide a sense of Code for corporate governance that requires com- pany
the organization’s direction and address objectives directors to (at least annually) conduct a review of the
(including mission, vision, and strategy); risks (and effectiveness of the system of internal control and report
opportunities); policies; planning; and performance to shareholders that they have reviewed the effectiveness
targets and indicators. The commitment type groups of all three types of controls, including financial,
criteria that provide a sense of the organization’s identity operational, and compliance control.
and values and address ethical values, including integrity,
human resource policies, authority, responsibility, King Model—South Africa
accountability, and mutual trust. The capability type The Institute of Directors in South Africa has established
groups criteria that provide a sense of the organization’s the King Committee on Corporate Governance. The
competence and address knowledge, skills, and tools; committee has developed a Code of Corporate Practices
communication processes; information; coordination; and and Conduct, and compliance with the code is a
control activities. The monitoring and learning type groups requirement to be listed in the Johannesburg stock
criteria that provide a sense of the organization’s exchange Securities Exchange in South Africa.
evolution and address monitoring internal and external
environment, monitoring performance, challenging KonTraG Model—Germany
assumptions, reassessing information needs and affects control and transparency in business, as
information systems, follow-up procedures, and part of reforming the corporate governance. Specifically,
assessing the effectiveness of controls. it impacts the board of directors, supervisory board,
corporate capitalization principles, authorization of no-
Control Self-Assessment (CSA)—United States par-value shares, small nonlisted stock corporations,
CSA deals with evaluating the system of internal control banks investing in industrial companies, and the
in any organization. CSA is a shared responsibility among acceptance of internationally recognized accounting
all employees in the organization, not just internal auditing standards.
or senior management.
Elements of CSA
ENTERPRISE RISK MANAGEMENT VOCABULARY, urban unrest, increasingly complex technology, and
CONCEPTS, AND TECHNIQUES changing attitude of legislatures and courts about a
variety of issues.
Enterprise risk management (ERM)
defined as a rigorous and coordinated approach Subjective risk
to assessing and responding to all risks that affect the refers to the mental state of an individual who
achievement of an organization’s strategic and financial experiences doubt or worry as to the outcome of a given
objectives. This includes both upside and downside risks. event. In addition to being subjective, a particular risk may
be either pure or speculative and either static or dynamic.
ERM risks are classified as follows:
• Financial Risk Objective risk
• Hazard Risk differs from subjective risk primarily in the sense
• Strategic Risk that it is more precisely observable and there- fore
• Operational Risk. measurable. In general, objective risk is the probable
variation of actual from expected experience.
ERM Vocabulary
Hazard Risk assessment (risk analysis)
a condition that creates or increases the the process of identifying the risks and
probability of a loss. determining the probability of occurrence, the resulting
impact, and additional safeguards that would mitigate this
Three types of hazards exist: impact. It includes risk measurement and prioritization.
1. Physical Hazard
2. Moral Hazard Risk financing
3. Morale Hazard. includes internal funding for risks (self-insurance
and residual risk) and external transfer of risks, such as
Hedging insurance and hedging.
taking a position opposite to the exposure or risk.
Risk management
Insurance the total process of identifying, controlling, and
an economic device whereby an individual or a mitigating risks as it deals with uncertainty.
corporation substitutes a small certain cost (the premium)
for a large uncertain financial loss (the claim, or Risk mitigation
contingency insured against) that would exist if it were not includes designing and implementing controls
for the insurance policy (contract). and control-related procedures to minimize risks.
Some integration is needed to offset the negative effects Factors in the Change Process
of differentiation. It is through departmentalization that Internal auditors should consider the following factors of
related jobs, activities, or processes are grouped into change process during their audit work:
major organizational subunits such as departments, • Paradigm shift
divisions, groups, or units. • Motivating stakeholders
• Grapevine
4 basic types of departmentalization include: • Employee empowerment
Functional departments • Barriers to change
Product- service departments • Departmental border- crossing
• Performance measurement system Feedback Control
• Cultural differences at workplace. used to evaluate past activity to improve future
performance. It measures actual performance against a
Organizational Development (OD) standard to ensure that a defined result is achieved.
a systematic approach to planned change
programs intended to help employees and organizations Contemporary Management Controls
function more effectively. Many new management controls have evolved over the
OD combines the knowledge from various years, including
disciplines, such as behavioral science, psychology, • Economic-value-added (EVA)
sociology, education, and management. • Market-value-added (MVA)
OD is a process of fundamental change in an • Activity-based costing (ABC)
organization’s culture. For OD programs to be effective, • Open-book management
not only must they be tailored to unique situations, but • Balanced scorecard system.
they also must meet the 7 common objectives in order
to develop trust: TYPES OF CONTROL
Engagement Scope
• The established scope should be sufficient to
satisfy the objectives of the engagement (IIA
Standard 2220).
• The scope of the engagement should include
consideration of relevant systems, records,
personnel, and physical properties, including
those under the control of third parties (IIA
Standard 2220.A1).
• If significant consulting opportunities arise during
an assurance engagement, a specific written
under- standing as to the objectives, scope,
respective responsibilities, and other
expectations should be reached and the results
of the consulting engagement communicated in
accordance with consulting standards (IIA
Standard 2220.A2).
• In performing consulting engagements, internal
auditors should ensure that the scope of the
engagement is sufficient to address the agreed-
on objectives. If internal auditors develop
reservations about the scope during the
engagement, these reservations should be
discussed with the client to determine whether to
continue with the engagement (IIA Standard
2220.C1).