1.1 Introduction to Internal Auditing 2.1 Assurance Engagements 3.

1 Financial Engagements
2.2 Risk and Control Self-Assessment 4.1 Risk-Based Audit Plan
3.2 Environmental Engagements
1.2 Internal Audit Administrative Activities
2.3 Audits of Third Parties & Contract Auditing 3.3 Consulting Engagements -- Overview 4.2 Risk Modeling
1.3 Stakeholder Relationships
2.4 Quality Auditing 3.4 Consulting Engagements -- Internal Auditor 4.3 Communicating and Reporting to
1.4 Internal Audit Resource Requirements 2.5 Security and Privacy Audits Senior Management and the Board
3.5 Consulting Engagements -- Benchmarking
1.5 Coordination 2.6 Performance Assurance Engagements
3.6 Consulting Engagements -- Other Types
2.7 Operational Auditing SU4 : THE INTERNAL AUDIT PLAN
SU1 : INTERNAL 2.8 Compliance Auditing
AUDIT OPERATIONS SU3 : FINANCIAL, ENVIRONMENTAL,
AND CONSULTING ENGAGEMENTS
SU2 : ASSURANCE AND
SU5 : ENGAGEMENT PLANNING
COMPLIANCE ENGAGEMENTS
5.1 Engagement Planning
5.2 Identification & Assessment of Key Risks
and Controls
5.3 Engagement Objectives, Scope, and Criteria

SU10 : COMMUNICATING RESULTS

AND MONITORING PROGRESS SU6 : ENGAGEMENT PROCEDURES, STAFFING,
Summary of CIA P2 AND DEVELOPING THE WORK PROGRAM

10.1 Communication with Clients (Gleim 2023) 6.1 Engagement Procedures

10.2 Observations & Recommendations
6.2 Engagement Staff & Resources
10.3 Communicating Engagement Results
6.3 Engagement Work Program
10.4 Communication Qualities and Overall Opinions
10.5 Exit Conference and Management’s Response
10.6 Approve and Distribute Reports
10.7 Monitor Engagement Outcomes
SU8 : SAMPLING AND STATISTICAL
QUALITY CONTROL
SU7 : INFORMATION GATHERING
9.1 Computerized Audit Tools

9.2 Analytical Approaches and Process Mapping 8.1 Statistical Concepts 7.1 The Four Qualities of Information
9.3 Analytical Review Techniques 8.2 Sampling Concepts 7.2 Sources and Nature of Information
SU9 : ANALYSIS, EVALUATION,
DOCUMENTATION, AND 8.3 Attribute Sampling
9.4 Workpapers - Purpose and Characteristics 7.3 Questionnaires
SUPERVISION
8.4 Variables Sampling 7.4 Interviewing
9.5 Workpapers - Review, Control, and Retention
8.5 Statistical Quality Control 7.5 Other Information-Gathering Methods
9.6 Drawing Conclusions

9.7 Supervision

Summary of CIA Part 2 - Gleim 2023 Page 1 of 23 samehacc1@gmail.com

 (A) The internal audit activity (IAA) helps an organization
accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of
1. Stakeholder Relationships
Governance, Risk management, and Control (GRC) processes.
(A) BOD, Audit Committees, Management, External Auditors, & Regulators.
(B) Governance: Processes + Structures implemented by
1. Nature of (B) For internal auditors to be effective, they must build and
the board to monitor the activities of the organization
Work maintain strong constructive relationships with managers
toward the achievement of its objectives.
and other stakeholders within the organization.
(C) Risk Management (RM): “A process to identify,
assess, manage, and control potential events or
situations to provide reasonable assurance regarding 2. Board & Audit Committee
the achievement of the organization’s objectives.
1.1 INTRODUCTION TO (A) For the IAA to achieve organizational independence, CAE must
(D) Control: Any action taken by management, the board, INTERNAL AUDITING have direct and unrestricted access to senior management and the
and other parties to manage risk and increase the likelihood board. Accordingly, the CAE should report administratively to senior
that established objectives and goals will be achieved. management and functionally to the board.
(E) Board: is responsible for guiding governance processes. 1.3 STAKEHOLDER
Senior management: is responsible for leading risk management and control processes. (B) The audit committee is a subunit of the board of
RELATIONSHIPS directors. But not every member of the board is necessarily
(F) CAE may document in the internal audit charter the roles and responsibilities of qualified to serve on the audit committee.
the board, senior management, and the IAA.
(C) Restrictions on the membership of the audit committee:
(G) When determining the strategy for assessing GRC, CAE considers (1) 1) No member may be an employee of the organization. 2) At
the maturity of these processes, (2) the seniority of the persons responsible, least one member must be a financial expert.
and (3) the organizational culture.
(D) To avoid creating conflict between the CEO and the audit
(H) When determining the strategy for assessing GRC, CAE considers (1) the
committee, the CAE should request board establishment of
maturity of these processes, (2) the seniority of the persons responsible, and
policies covering the IAA’s relationships with the audit committee.
(3) the organizational culture.

(A) GRC are adequate if management has planned and SU1 : INTERNAL AUDIT
designed them to provide reasonable assurance of achieving 3. Role of the Audit Committee
OPERATIONS
the organization’s objectives efficiently and economically.
2. Reasonable (A) The most important function of the audit committee is to promote
(B) Efficient performance accomplishes objectives in an accurate, Assurance the independence of the internal and external auditors by protecting
timely, and economical fashion. them from management’s influence.
Economical performance accomplishes objectives with minimal use
of resources (i.e., cost) proportionate to the risk exposure.
(C) Reasonable assurance is provided if the most cost-effective 4. Relationships with Management
measures are taken in the design and implementation of controls to
reduce risks and restrict expected deviations to a tolerable level. (A) Internal auditors should develop and maintain good working
relationships with management using participative auditing methods.
1) Assurance services 1.2 INTERNAL AUDIT
3. Types of Internal Audit Engagements ADMINISTRATIVE ACTIVITIES
2) Consulting services
4. Human Resources
(A) CAE is responsible for management of IAA resources in a manner that 1. Overview
ensures fulfillment of its responsibilities effectively. (A) CAE is responsible for hiring associates to fill the
The IAA is effectively managed when (1) it achieves the purpose and organizational structure of the internal audit function.
responsibility included in the internal audit charter, (2) it conforms with the
2. Policies and 3. Budgeting
Procedures (P&P) (B) Because the selection of a superior staff is
Standards, (3) its individual members conform with the Code of Ethics and dependent on the ability to evaluate applicants,
the Standards, and (4) it considers trends and emerging issues that could (A) CAE creates the operating & selection criteria must be well-developed.
affect the organization (Inter. Std. 2000). (A) The form and content of P&P are dependent upon the financial budget, then the budget is
size and structure of the IAA and the complexity of its work. submitted to management & board (C) Interviews are 1. Structured: designed to
(B) Management oversees the day-to-day operations of the IAA , includes: for review & approval. eliminate individual bias (questions with
1) Budgeting and management accounting (B) A large, mature IAA may include P&P in a formal standardized answers), and 2. Behavioral:
2) Human resource administration operations manual (Detailed). determine how candidates handled past situations.
3) Internal communications and information flows Smaller or less mature, P&P may reside in separate
4) Administration of the IAA’s policies and procedures documents or an audit management software program.

Summary of CIA Part 2 - Gleim 2023 Page 2 of 23 samehacc1@gmail.com

 1) The CAE must ensure that internal audit resources are A) appropriate,
B) sufficient, and C) effectively deployed to achieve the approved plan. 1. The IIA’s Three Lines Model (6 Principles)

Principle 1: Governance
A) Appropriate Principle 2: Governing body (Board) roles include ensuring that
organizational objectives align with stakeholders’ interests.
(1) The mix of knowledge, skills, & other
Principle 3: Management – 1st and 2nd- line roles:
competencies needed to perform the plan. 1. Managing 1st-line roles: Delivery of products or services to clients &
(2) CAE may conduct skills assessment. Resources Responsible for risk management
2nd-line roles: Assist with risk management (1st-line role) by
(3) A job description summarizes the
providing expertise, support, monitoring, and challenge
duties and qualifications required for a job.
Principle 4: Third-line roles (Internal Audit)
B) Sufficient Principle 5: Third-line independence
1.4 INTERNAL AUDIT Principle 6: Creating and protecting value
(1) The quantity of resources needed to accomplish the plan. RESOURCE REQUIREMENTS
(2) Resource planning considers:
1) The audit universe, 2) Relevant risk levels, 3) The
internal audit plan, 4) Coverage expectations, and 5) An 2. Coordinating the Work of the IAA with Other Providers
estimate of unanticipated activities.
(3) The audit schedule is reduced as a last resort once all SU1 : INTERNAL AUDIT
other alternatives have been explored, including the (A) The CAE
request for additional resources. OPERATIONS
1) The CAE should share information, coordinate activities,
(4) The CAE is primarily responsible for the sufficiency, but the senior and consider relying upon the work of other internal and
management and the board ultimately must ensure the adequacy. external assurance and consulting service providers to
ensure proper coverage and minimize duplication of efforts.
C) Effectively deployed 2) May rely on the work of other assurance
1.5 COORDINATION and consulting service providers.
(1) When they are used in a way that optimizes the achievement
of the approved plan, and by assigning qualified auditors. 3) Should consider the competency,
objectivity, and due professional care of the
(2) The CAE considers succession planning, assurance and consulting service providers.
staff evaluation and development.
4) Should have a clear understanding of the scope,
2. Outsourcing objectives, and results of the work performed by
1) When an external service provider serves as the IAA, the the IAA other providers of assurance and consulting services.
(C) Process of Coordinating
provider must make the organization aware that the 5) Is still accountable and responsible for ensuring adequate
organization has the responsibility for maintaining an effective 1) Smaller entities may support for conclusions and opinions reached by the IAA.
IAA (responsibility for the IAA must NOT be outsourced). have informal coordination. 6) Should identify appropriate liaison activities with
2) Large or regulated entities may the quality audit function to ensure coordination of
have formal and complex coordination. audit schedules and overall audit responsibilities.

3. Coordinating with Regulatory

Oversight Bodies (B) Internal vs. External
(D) Methods of Coordinating
1) Internal providers may report to senior
1) Businesses and not-for-profit organizations are subject to governmental 1. Assurance mapping: (a) connects management or be part of senior management.
regulation in many countries. significant risk categories and sources of
assurance and (b) assesses each category 2) External providers may report to senior
2) In larger organizations, entire departments or functions are established to management, external parties, or the CAE.
may have informal coordination.
monitor compliance with the regulations issued by these governmental bodies.
2. Combined Assurance Model: the IAA 3) The external auditor assesses the objectivity
3) Among the responsibilities of the IAA is the evaluation of the organization’s and competence of the internal auditors only if
compliance with applicable laws and regulations. coordinates activities with second line of
defense activities, e.g., compliance. (s)he intends to rely on their work.

Summary of CIA Part 2 - Gleim 2023 Page 3 of 23 samehacc1@gmail.com

 Assurance Auditing Objectives
8. Limitations
Is the review of a function or process to appraise the Focuses on the present and future. It is
Relate to the effectiveness 1. The internal auditor may not effectively use the selected CSA
Operational efficiency and economy of operations and the effectiveness closely aligned with the organization’s
and efficiency of operations approach(es), or the persons performing the self-assessment
with which those functions achieve their objectives mission, vision, and objectives may not be skilled in risk management and control.
Is the review of financial and operating controls to assess
Looks at the past and examines the Relate to adherence to
Compliance conformance with established laws, standards, regulations, 7. Workshop Reports
present applicable laws and regulations
policies, plans, procedures, contracts, and other requirements
1) In the typical CSA facilitated workshop, a report is substantially created
Looks at the past to determine whether Relate to internal and external during the deliberations.
Financial Provides analysis of the economic activity of an entity as
financial information was properly financial and nonfinancial 2) A consensus is recorded for the various segments of the discussions, and
(Reporting) measured and reported by accounting methods the group reviews the proposed final report before the end of the final session.
recorded and adequately supported reporting
Is the review and testing of IT (for example, computers, Has been done in separate projects by IT (1) Facilitation Approach (4 Formats)
IT technology infrastructure, IT governance, mobile devices, and audit specialists, but increasingly it is being (A) Gathers information from work teams representing
cloud computing) to assure the integrity of information integrated into all audits different levels in the business unit or function.

1. Financial, Compliance, Operational, and IT Auditing (B) Formats

1) The objective-based format focuses on the best way to
(A) Is a visual representation of an organization’s risks and assurance activities. 2.1 ASSURANCE accomplish a business objective. The aim of the workshop is to
ENGAGEMENTS decide whether the procedures are working effectively and are
(B) May include: 1) Identity of the assurance providers. 2) Risk. 3) Level of resulting in residual risks within an acceptable level.
assurance. 4) Urgency or importance of the issue. 5) Action to be taken.
2) The risk-based format focuses on listing the risks to
1) Management: through compliance with laws and 2. Assurance Mapping
SU2 : ASSURANCE AND achieving an objective. to determine significant residual risks.
regulations, quality assurance, and self-assessments COMPLIANCE ENGAGEMENTS 3) The control-based format focuses on how well the controls are
2) BOD: through the internal audit function (C) Assurance working in managing risks, and the comparison to expectations.
Providers
3) External stakeholders: through the independent external 4) The process-based format focuses on selected activities that are
auditor, government regulators, & trade associations elements of a chain of processes. To evaluate, update, validate, improve,
and even streamline the whole process and its component activities.
(D) Users of an assurance map have the option to 2.2 RISK AND CONTROL
increase or decrease assurance. SELF-ASSESSMENT 6. Approaches of CSA
(2) Survey / Questionnaire Approach
(3 Approaches)
(E) If a low-risk area has a high level of assurance, the entity may want 1) Uses a questionnaire that tends to ask mostly simple
to consider shifting those assurance resources to a high-risk area. “yes/no” or “have/have not” questions that are carefully
written to be understood by the target recipients (To
(A) CSA increases awareness of risk and 5. Key Features 1) CSA includes self-assessment minimize the time spent and costs to collect information).
control throughout the organization. 1. Control Self- surveys and facilitated workshops.
(B) CSA’s basic philosophy is that control is the Assessment (CSA)
(3) Self-Certification Approach
responsibility of everyone in the organization.
1) Is based on management-produced analyses to
4. How Internal Auditors Use CSA
1) Front-end planning and preliminary audit work. produce information about selected business processes,
2. Elements of CSA Process risk management activities, and control procedures.
2) An in-person meeting.
(A) Internal Auditing may:
3) A structured agenda used by the facilitator. (B) A CSA program:
4) The presence of a scribe to take 3. Responsibilities 1) Sponsor, design, implement, and own the process; a) Increases the coverage of assessments of control processes
an online transcription of the session. 2) Conduct the training; across the organization,
(B) Operating managers’ responsibilities include 3) Supply the facilitators, scribes, and reporters; and b) Improves the quality of corrective actions made by the
5) Reporting and the development of action plans. process owners, and
assessment of the risks and controls in their units. 4) Coordinate the participation of management and work teams.
c) Focuses the internal audit activity’s work on reviewing high-
(A) Senior management should oversee the (C) Internal and external auditors provide varying degrees OR Serve only as an interested party and consultant risk processes and unusual situations.
establishment, administration, and evaluation of the of assurance about the state of effectiveness of the risk for the whole process and as the ultimate verifier of
processes of risk management and control. management and control processes of the organization. the evaluations produced by the teams.

Summary of CIA Part 2 - Gleim 2023 Page 4 of 23 samehacc1@gmail.com

 1) Service providers (e.g. internal audit services) 1) The IAA’s role is to provide assurance that the approved quality
2) Supply-side partners (e.g., outsourcing of production or R&D) 1. Quality Auditing structures are in place and quality processes are functioning as intended
(A) Involve
3) Demand-side partners (e.g., licensees or distributors)
2.4 QUALITY AUDITING 1) Traditional view: Emphasized the detection of products that do not meet standards
4) Strategic alliances and joint ventures (e.g., cost-, revenue-,
and profit-sharing in media production and development)
2. Views of Quality
2) Modern view: quality is a value-added activity performed throughout all
5) Intellectual property (IP) partners (e.g., licensing of software) processes, from product design to raw materials acquisition and final inspection
1) They may not be identified and therefore may 1. External Business
not be a) Managed, b) Assessed, or c) Monitored Relationships (EBRs) 1) TQM can increase revenues and decrease costs significantly. Thus, the
3. Total Quality IAA’s services with respect to the quality function may add substantial value
2) EBRs may adversely affect the organization’s
reputation, e.g., by violating laws Management (TQM)
2) TQM treats the pursuit of quality as a basic organizational
3) EBRs may have inadequate insurance coverage function that is as important as production or marketing
(B) Examples of
4) Service levels or products may be unsatisfactory Significant Risks of 2.3 AUDITS OF THIRD 3) TQM emphasizes the supplier’s relationship with the customer and identifies customer needs
5) Conflicts of interest may arise EBRs PARTIES AND 4) The IAA performs procedures to provide assurance that the basic objectives of TQM are
6) Licensing of intellectual property may CONTRACT AUDITING reached. e.g. customer satisfaction, continuous improvement, and promotion of teamwork
result in misuse, theft, or loss of revenue
5) TQM concepts also apply to the operations of the IAA itself. e.g. Periodic internal assessments
7) The organization may be overcharged for services
8) The EBR partner may become insolvent Physical security must be audited even if software provides most of the protection for information
SU2 : ASSURANCE AND
9) The organization’s confidential information may be lost COMPLIANCE ENGAGEMENTS
1. Must determine whether the EBR partner 1. Information Reliability and Integrity 1) Includes
has agreed to the audit Accuracy, completeness, and security
2) IAA
2. Need to understand all elements of an EBR: (C) Auditing EBRs: 2.5 SECURITY AND Determines whether senior management and the board clearly understand that
1) Initiating the EBR, 2) Contracting for and Internal Auditors PRIVACY AUDITS it is a management responsibility for all critical information regardless of its form
defining the EBR, 3) Procurement, 4) Managing
and monitoring the EBR, 5) Discontinuing the EBR 3) CAE determines: Whether IAA has competent audit resources for evaluating
internal and external risks to information reliability and integrity
3. Need to understand the expectations of the parties 3. Use of Personal Information in
4. Develop an appropriate audit program with relevant objectives
Performing Engagements Whether senior management, the board, and the internal audit activity will be
promptly notified about breaches and conditions that might represent a threat
1) Understanding the organization, its environment, 1) Many jurisdictions require organizations to identify the purposes The effectiveness of preventive, detective, and
its processes, and the nature of each EBR for which personal information is collected at or before collection 4) Internal Auditors mitigative measures against past and future attacks
2) Assessing risks and controls 2) The laws also prohibit using and disclosing personal information assess: Periodically reliability and integrity practices
3) Performing the audit. i) Do on-site work at (D) Cycle for an EBR for purposes other than those for which it was collected except and recommend new or improved controls
the EBR, ii) Evaluate results, iii) Identify findings Audit with the individual’s consent or as required by law
and their application, and iv) Reach conclusions 3) The internal auditor may seek advice from legal counsel before beginning 2. Privacy Auditing
4) Reporting. To the Board and senior Management audit work if questions arise about access to personal information
1. Definitions
5) Monitoring progress. Findings have been addressed or not 4) Privacy is balanced with the need to allow appropriate and a) Personal privacy (physical and psychological)
prompt availability of personal information to legitimate users
(A) The external and internal auditors of the organization’s clients 2. Third-Party Audits b) Privacy of space (freedom from surveillance)
must obtain assurance about the security of the organization’s 5) The organization documents compliance with privacy and other legal requirements
c) Privacy of communication (freedom from monitoring)
operations and the fulfillment of contractual obligations 6) Benefits of the security arrangements should exceed the costs
d) Privacy of information (collection, use, and
(B) The internal auditors should coordinate their activities with those of the 7) The IIA’s Code of Ethics requires internal auditors disclosure of personal information by others)
third-party auditor to share information and to prevent duplication of effort to maintain the confidentiality of private information
2. The board is ultimately accountable for identifying principal
(A) Lump-sum (Fixed Price) Contracts: Consider Progress payments,
risks, implementing controls, and managing privacy risk, e.g.,
Incentives, An escalator clause, Adjustments for labor costs, Change orders
3. Contract Auditing by establishing and monitoring a privacy framework
(B) Cost-plus Contracts: Cost + Fixed Amount OR Cost + Fixed % of cost
3. The IAA assesses the adequacy of (a) management’s risk
May have provisions for Maximum costs or Incentives for early completion (D) The internal auditor should recommend that the contract contain identification and (b) the controls that reduce those risks
(C) Unit-price Contracts: Used when a convenient measure of work is a source code escrow clause which requires the application
available. The key issue is the accurate measurement of the work performed source code to be held in escrow by a trusted third party 4. Assumption of responsibility by the IAA may impair independence

Summary of CIA Part 2 - Gleim 2023 Page 5 of 23 samehacc1@gmail.com

 (A) A performance audit may provide assurance about (A) Compliance: Is the adherence to policies, plans,
the organization’s key performance indicators (KPI). procedures, laws, regulations, contracts, or other requirements. (D) Compliance Standards and Procedures

(B) Internal auditors assess an organization’s ability to measure its (B) Internal Auditors are encouraged to consult legal 1) Should be clearly written, straightforward, and reasonably
performance, recognize deficiencies, and take corrective actions. counsel in all matters involving legal issues. Requirements capable of reducing the prospect of criminal conduct.
may vary significantly in different jurisdictions. 2) Should identify personnel responsible for compliance programs.
(C) Balanced Scorecard
1) Assist organizations in preventing unintended violations 3) Include Financial incentives that do not reward misconduct.
1. It is a report that connects critical success factors (by SWOT employee and discouraging intentional violations. (C) Compliance
Analysis) determined in a strategic analysis with financial and 4) For an international organization, a compliance program
Programs on a global basis that reflects local conditions and laws.
nonfinancial measures of the elements of performance. 2) Help: (1) prove insurance claims, (2) determine director
and officer liability, (3) create or enhance corporate identity,
2. Identify critical success factors by: and (4) decide the appropriateness of punitive damages (E) Responsibility
a) Internal factors (Strengths and Weaknesses).
b) External factors (Opportunities and Threats). 1) Specific high-level personnel who are properly
2.6 PERFORMANCE 2.8 COMPLIANCE empowered and supplied with necessary resources
3. The SWOT analysis facilitates development of a
ASSURANCE AUDITING should be responsible for the compliance program.
strategy by emphasizing the basic factors of cost, quality,
and the speed of product development and delivery.
ENGAGEMENTS
2) Compliance personnel should have adequate access to
senior management, and the chief compliance officer
a) Financial measures: are ultimate results provided to (CCO) should report directly to the CEO.
4. Types of (H) Monitoring and
owners, e.g., sales, fair value of stock, profits, and liquidity.
Measures: Reporting
b) Customer measures: reflect customer needs and
(F) Applicant Screening
satisfaction, e.g., customer retention rate.
c) Internal measures: of key processes drive SU2 : ASSURANCE AND 1. Monitoring and auditing systems for
1) Due care should be used to avoid delegating authority to
the business, e.g., quality & productivity. COMPLIANCE ENGAGEMENTS those with a tendency to engage in illegal activities.
detecting illegal or unethical behavior
d) Learning, growth, and innovation measures: are and employee hotlines should be used. 2) All applicants should be screened in a lawful
the basis for future success (people and infrastructure). manner that does not infringe upon privacy rights. The
purpose is to detect evidence of past wrongdoing,
2. The compliance review considers:
especially that within the organization’s industry.
(A) An operational audit assesses the efficiency and
2.7 OPERATIONAL (a) Effectiveness of written materials, (b) Employee receipt of
effectiveness of an organization’s operations.
AUDITING communications, (c) Handling of violations, (d) Fairness of
discipline, (e) Observance of any Protections given to informants, (G) Communication
and (f) Fulfillment of compliance unit responsibilities.
1. Process (Functional) Engagements 1) Standards and procedures, including readily available ethics-
1) Follow process-crossing organizational lines, 3. An attorney monitoring the hotline is best able to protect the privileges. related documents, should be communicated effectively,
service units, and geographical locations. preferably in an interactive format and on multiple occasions.
(B) Engagements 4. Employees may have little confidence in such hotlines or in write-
2) These engagements tend to be challenging because 2) New employees should receive basic compliance training
in reports or an offsite person assigned to hear complaints. But
of their scope and the need to deal with organizational as part of their orientation, and agents of the organization
they may have confidence in hotlines answered by an in-house
units that may have conflicting objectives. should be given a presentation specifically for them.
representative and backed by a nonretaliation policy.
3) Organizations also should require employees to certify
3) Examples: Purchasing & receiving, Modification of 5. Hotline cannot ensure anonymity. periodically that they have read, understood, and complied
products, and Development of budgets.
6. An on-site official (an ombudsperson) is more effective if (s)he: with the code of conduct. This information is relayed
(1) reports directly to the chief compliance officer or the board, (2) keeps annually to senior management and the board.
2). Program-Results Engagements the names of informants secret, (3) provides guidance to informants, and
(4) undertakes follow-up to ensure that retaliation has not occurred. 10. The compliance program should provide for the discipline of
1) Are intended to obtain information about the
managers and other responsible persons who knew or should have
costs, outputs, benefits, and effects of a program. 7. An ethics questionnaire should be sent to each employee asking known of misconduct and did not report it.
whether the employee is aware of kickbacks, bribes, or other wrongdoing.
2) They attempt to measure the accomplishment 11. Termination or other discipline of employees may be limited by:
and relative success of the undertaking. 8. Organizational compliance standards should be consistently enforced 1) Whistleblower laws; 2) Statutory exceptions to the employee-at-will doctrine;
by adequate, fair, case-specific discipline. 3) Employee or union contracts; and 4) Employer responsibilities with regard to
3) Because benefits often cannot be quantified in financial
terms, a special concern is the ability to measure effectiveness. 9. Punishment should be appropriate to the offense, such as a discrimination, wrongful discharge, and requirements to act in good faith.
4) A program is a funded activity not part of the normal, warning, loss of pay, suspension, transfer, or termination. 12. Failure to detect or prevent a serious violation may indicate that the
continuing operations of the organization, such as an expansion compliance program needs to be restructured. One change that may be
or a new information system. required is the replacement or transfer of compliance personnel.

Summary of CIA Part 2 - Gleim 2023 Page 6 of 23 samehacc1@gmail.com

 5. Fraud Risk Fraud Types Relevant to F.S

1. Financial Statements and Corporate Governance 1) Fraudulent financial reporting.

The auditor plans and performs the audit to
obtain reasonable assurance about whether the 2) Misappropriation of assets.
Internal auditors provide assurance regarding financial statements (F.S.) are free of material
financial reporting to management and the board. misstatement, whether caused by fraud or error.
Many countries require management to provide an assessment of the organization’s internal control
The internal audit activity must evaluate risk
over financial reporting. Internal auditors assist management in meeting these responsibilities.
exposures relating to the organization’s
governance, operations, and information systems. The internal audit activity must assist the organization in maintaining effective controls by
evaluating their effectiveness and efficiency and by promoting continuous improvement.
6. Assessment of Internal Control
CAE may recommend a control framework if none exists.
2. Management’s Assertions
Management implicitly or explicitly makes assertions 9. Reporting on the Effectiveness of Internal Control
3.1 FINANCIAL
about the measurement, presentation, and disclosure
ENGAGEMENTS The CAE’s report on control processes is usually presented annually.
of information in financial statements.
Part of any engagement may involve testing these assertions to The board must rely on management to maintain adequate and effective internal control:
determine whether they are supported by the evidence, so the Effective: if management directs processes to provide reasonable assurance that objectives
auditor to determine whether controls are working as designed. are achieved.
Adequate: if management has designed them to provide reasonable assurance that (1) risks
are managed effectively and (2) objectives are achieved effectively.
3. Key Risks
Key risks affecting the reliability and integrity of financial
SU3 : FINANCIAL,
information include the following: ENVIRONMENTAL, & CONSULTING
1) Overstating revenues, 2) Understating expenses, 3) ENGAGEMENTS 10. Roles for the Internal Auditor
Applying unreasonable accounting estimates, 4) Applying
accounting principles that are no longer in effect. 1) Financial Reporting
An audit of financial information may follow the cycle 7. Internal Audit Plan
approach to internal accounting control (a cycle is a Coordinating audit plans & Sharing audit results with the external auditors.
functional grouping of transactions). CAE should develop a flexible internal audit plan (adjustable)
to provide sufficient evidence to evaluate control. Communicating pertinent observations about i) Accounting
policies, ii) Specific components of the financial reporting,
CAE evaluates the plan’s coverage. If the scope of the plan iii) Unusual or complex financial transactions and events.
4. Accounting Cycles
is insufficient to permit expression of an opinion about risk Evaluating the quality of financial reports.
Cycles management and control, the CAE informs senior
management and the board about gaps in audit coverage.
1. Sales, Receivables, and Cash Receipts Cycle 2) Governance
2. Purchases, Payables, and Cash Disbursements Cycle a) Reviewing the organization’s policies relating to i) Compliance with
8. A Framework for Internal Control
3. Production or Conversion Cycle laws and regulations, ii) Ethics, iii) Conflicts of interest, and iv) The
timely and thorough investigation of misconduct and fraud allegations.
4. Financial Capital and Payment Cycle
COSO Framework: b) Reviewing pending litigation.
5. Personnel and Payroll Cycle control has five components
(CRIME) c) Providing information on employee conflicts of interest, misconduct, & fraud.
6. External Financial Reporting Cycle
1) Control activities are the policies and procedures. 3) Corporate Control
In small- and medium-sized organizations, some duties
must be combined. The internal auditor must assess 2) Risk assessment.
a) Reviewing the reliability and integrity of the operating and
whether organizational segregation of duties is adequate. 3) Information (Internal & External) and communication. financial information compiled and reported by the organization.
4) Monitoring- Assesses the quality b) Performing an analysis of the controls over critical accounting
of a system’s performance over time. policies and comparing them with preferred practices.
5) The Control Environment - Reflects the attitude and c) Evaluating the process of preparing, reviewing,
actions regarding the control within the organization. approving, and posting journal entries.

Summary of CIA Part 2 - Gleim 2023 Page 7 of 23 samehacc1@gmail.com

 (a) The Environmental, Health, and Safety (EHS) risks should be 1. The nature of consulting services must be defined in the internal audit charter.
included in any organization-wide risk management assessment. 3.2 ENVIRONMENTAL 3.3 CONSULTING
ENGAGEMENTS ENGAGEMENTS -
2. Principles Applied to Consulting Activities
(b) EHS' Risks OVERVIEW
1. Environmental Risks
a. Value Proposition.
1) Organizational reporting structures.
b. Consistency with Internal Audit Definition.
2) Likelihood of causing environmental harm, fines, and penalties.
3. Consulting Engagements’ Categories c. Audit Activities beyond Assurance & Consulting: are not mutually exclusive.
3) Expenditures mandated by governmental agencies.
d. Interrelationship between Assurance and
4) History of injuries and deaths. 1) Formal consulting engagements:
Consulting (Both of them could result from each others).
Are planned and subject to written agreement.
5) History of losing customers. e. Empower Consulting through the IA Charter.
2) Informal consulting engagements:
6) Episodes of negative publicity and loss of public image and reputation. f. Objectivity.
Involve routine activities.
3) Special consulting engagements: g. IA Foundation for Consulting Services: may represent
2. The common models for environmental auditing include participation on a merger and informal or formal advice, analysis, or assessments.
acquisition team or system conversion team. h. Communication of Fundamental Information: to senior management & the board.
a) The CAE and environmental audit executive are in separate 4) Emergency consulting engagements. i. Principles of Consulting Understood by the Organization.
functional units, coordinate their activities, and have little contact.
j. Formal Consulting Engagements.
b) The CAE has responsibility for auditing environmental issues.
k. CAE Responsibilities: CAE retains the prerogative of setting the audit
SU3 : FINANCIAL, techniques & the right of reporting to senior executives and the board.
ENVIRONMENTAL, & CONSULTING
l. Criteria for Resolving Conflicts or Evolving Issues:
3. EHS auditing’s Findings (independence issues) ENGAGEMENTS An internal auditor is first & foremost an internal auditor.
1) The EHS audit function is isolated from other auditing activities. 3.4 CONSULTING
3. Scope of
2) EHS audit managers usually report administratively to the executives ENGAGEMENTS -- 1. Independence and Objectivity
Work
who are responsible for the physical facilities being audited. INTERNAL AUDITOR
1) Prior to offering consulting services, the (CAE) confirms that the board
3) Written audit reports to be distributed no higher in the organization (a) The internal auditors must ensure that understands and approves the concept of providing consulting services.
than to senior environmental executives. the scope of the engagement is sufficient to
address the agreed-upon objectives. Any 2) Once approved, the IA charter is amended to include
4) Audit information is classified as either (a) subject to the attorney-client privilege or reservations must be discussed with the authority and responsibilities for consulting activities.
attorney work-product doctrine (b) secret and confidential; or (c) if not confidential, then client to determine whether to continue with
closely held. Then the effect is severely restricted access to EHS audit information. 3) If impairments to independence or objectivity exist prior the consulting
the engagement. engagement (or after that); disclosure is made immediately to management.
a) Compliance-focused, b) Management systems- (b) Work programs for formal consulting
4. EHS audit program may be 4) Care is taken, so that internal auditors do not inappropriately
focused, or c) A combination of both approaches. engagements document the objectives and
or unintentionally assume management responsibilities.
scope of the engagement and the methods
1) Compliance audits: They are detailed, site-specific audits. 5. Seven types of to be used in satisfying the objectives.
environmental audits
2) Environmental management systems audits: determine whether systems 2. Due Professional Care
are in place and operating properly to manage future environmental risks. 4. Communicating Results
(a) Internal auditors must exercise due professional care during a consulting engagement.
3) Transactional audits: assess the environmental risks and liabilities of (a) Communication of the progress and results
land or facilities prior to a property sale or purchase. of consulting engagements will vary in form (b) The chief audit executive must decline the consulting engagement or obtain
and content depending upon the nature of the competent advice and assistance if the internal auditors lack the knowledge, skills, or
4) Treatment, storage, and disposal facility (TSDF) audits: The law may require that hazardous other competencies needed to perform all or part of the engagement.
materials be tracked from their acquisition or creation to disposal by means of a document. engagement and the needs of the client.
(c) The internal auditor declines to perform consulting engagements that: i) Are
Current landowners may be responsible for contamination whether or not they caused it.
prohibited by the charter, ii) Conflict with the policies and procedures of the internal audit
5) A pollution prevention audit: determines how waste can be minimized and pollution can 5. Documentation activity, or iii) Do not add value and promote the best interests of the organization.
be eliminated at the source according to the following hierarchy: a) Recovery as a usable Documentation requirements for assurance (d) The internal auditor documents general terms, understandings, deliverables, and
product (Most Desirable), b) Elimination at the source, c) Recycling and reuse, d) Energy engagements do not necessarily apply to other key factors of the formal consulting engagement in a written agreement or plan.
conservation, e) Treatment f) Disposal, g) Release without treatment (Least Desirable). consulting engagements.
6) Environmental liability accrual audits: may require redefinition of what is probable, Engagement supervision is addressed The IA activity must monitor the disposition of results of consulting
measurable, and estimable. only in a performance standard. 6. Monitoring
engagements to the extent agreed upon with the client.
7) Product audits: products are environmentally friendly or not.

Summary of CIA Part 2 - Gleim 2023 Page 8 of 23 samehacc1@gmail.com

 1. Internal Control Training
Is one of the primary tools used in total quality management (TQM).
(a) Internal auditors may perform consulting engagements to provide
Is a means of helping organizations with productivity 1. Benchmarking internal control training to the employees of the organization.
management and business process review.
(b) The ethical culture of an organization is linked to the
Is an ongoing process that involves quantitative and qualitative measurement.
governance process and is the most important soft control.
3.5 CONSULTING
a) Analyzing and measuring key outputs ENGAGEMENTS --
against those of the best organizations. 2. Benchmarking Involves: 2. Due Diligence Auditing
BENCHMARKING
b) Identifying the underlying key actions and causes
(a) The term “due diligence” is applied to a service in which
that contribute to the performance difference.
internal auditors and others determine the business justification
3.6 CONSULTING
for a major transaction (business combination, joint venture,
ENGAGEMENTS -- divestiture, etc.) and whether that justification is valid.
3. Kinds of Benchmarking
OTHER TYPES
1) Competitive: studies an organization in the same industry. (b) The term “due diligence” may be used for other
engagements, for example, certain environmental audits.
2) Process (function): studies operations of organizations
with similar processes regardless of industry. (c)The due diligence process establishes whether the expected
benefits of the transaction (wider markets, etc.) are likely to be realized.
3) Strategic: is a search for successful competitive strategies.
4) Internal: is the application of best practices in one (d) The Report
part of the organization to its other parts. SU3 : FINANCIAL,
(1) The final report should be factual, not subjective, with supporting information
ENVIRONMENTAL, & CONSULTING indexed and backed up on computer disks.
5) Generic: observes a process in one operation and compares it
with a process having similar characteristics but in a different industry.
ENGAGEMENTS
(2) The report should contain an executive summary with key points highlighted.
(3) The cycle approach used by the acquiring organization to organize its
business is a desirable means of structuring the report.
4. Benchmarking Phases
1. Select and prioritize benchmarking projects phase.

2. Organize benchmarking teams phase. 4. System Development Reviews 3. Business Process Mapping (Reengineering)
3. Researching and identifying best-in-class
performance phase: (The most difficult phase). Internal auditor involvement (in early stages) throughout the (a) Reengineering
systems development life cycle can ensure that the appropriate Involves process innovation and core process redesign.
The critical steps are: internal controls and audit trails are included in the application.
1) Setting up databases, Finds new ways of doing things instead of improving existing procedures.
2) Choosing information-gathering methods (internal & external), Application maintenance processes should ensure that
3) Formatting questionnaires, and changes in application systems follow a consistent pattern of Emphasizes on simplification and elimination of nonvalue-adding activities.
4) Selecting benchmarking partners. control. Change management should be subject to structured
assurance validation processes. Is NOT continuous improvement, NOR downsizing or modifying an
existing system.
4. Data analysis phase: involves identifying
Project management techniques and controls should be part
performance gaps, understanding the reasons. Should be reserved for the most important processes.
of the development process—whether developments are
5. The implementation phase: Leadership is most important, performed in-house or are outsourced. Is usually a cross-departmental process of innovation requiring
as the team must be able to justify its recommendations. substantial investment in information technology and retraining.
5. Design of Performance Measurement Systems Reengineering and total quality management (TQM) techniques
eliminate many traditional controls. They exploit modern technology to
a. As an assurance engagement, internal auditors conduct performance audits to measure improve productivity and decrease the number of clerical workers.
how well an organization is achieving its targets for its key performance indicators.

b. As a consulting engagement, internal auditors work with clients to improve the (b) Work Measurement
(1) Is a useful tool in reengineering.
performance measured by the key performance indicators.
(2) Is a process that involves analysis of activities.
(3) Is appropriate when management takes an engineered-cost approach to control.
Micromotion study: which requires videotaping the performance of a job.
Engineered-cost approach is indicated when the workload is divisible into control-
(4) Methods factor units (with variable cost), for example, number of packages shipped.
Work sampling: making many random observations of an activity to determine what steps it normally requires.

Summary of CIA Part 2 - Gleim 2023 Page 9 of 23 samehacc1@gmail.com

 1. Risk 1. Rank and Validate Risk Priorities
4.2 RISK
(a) Is the possibility of an event occurring that will 4.1 RISK-BASED MODELING
SU4 : THE INTERNAL (a) Risk Modeling is used to rank and validate risk
have an impact on the achievement of objectives. AUDIT PLAN priorities when prioritizing engagements in the audit plan.
AUDIT PLAN
(b) Is measured in terms of impact and likelihood. (b) Risk factors (e.g., impact and likelihood) may be weighted
based on professional judgments to determine their relative
2. Priorities Based on the Risk Assessment 4. Risk Management (RM) Process significance, but the weights need not be quantified.
(a) The audit plan of any IAA must reflect the organization’s assessment (a) RM is a process to identify, assess, manage, and control
of diverse risks and must be logically related to identified of these risks. 2. AICPA Audit Risk Model
potential events or situations to provide reasonable assurance
(b) The CAE must establish a risk-based plan to determine the regarding the achievement of the organization’s objectives. (a) The IIA does not officially define audit risk or its
priorities of the IAA, consistent with the organization’s goals. components. However, internal auditors can adapt the
(b) Management typically uses a framework (e.g., COSO, ERM, ISO
model to other audit and assurance engagements.
(c) The priorities of the IAA are based on the 31000) to conduct the risk assessment and document the results.
results of risk assessments with higher risks. (b) The audit risk model is used by the AICPA:
(c) If a framework does not exist, the CAE uses his or her own judgment Audit risk = Risk of material misstatement * Detection risk
(d) The priorities of the IAA are necessary to of risks after consultation with senior management and the board. Audit risk = (Inherent risk * Control risk) * Detection risk
make decisions for applying resources.
(d) Control is often used to manage risk within the risk appetite. (c) Of the three components, ONLY detection risk is
(e) The internal audit plan of engagements must be based on under the auditor’s direct control.
(e) Inherent risk and residual risk (also known as current risk)
a documented risk assessment, undertaken at least annually.
are fundamental risk concepts. (d) The internal auditor must first determine the levels of
(f) The CAE must review and adjust the plan, as inherent and control risk for the account or activity under review.
necessary, in response to changes in the organization. (f) Key Controls
(e) Detection risk has an inverse relationship with control risk.
(g) Planning involves considering what services stakeholders want. (1) Key controls reduce an otherwise unacceptable risk to a
tolerable level. Controls are processes that address risks. (f) Audit Risk Components
(h) Accepted consulting engagements must be included in the plan.
(2) Effective RM identifies key controls based on the difference 1) Audit risk is the risk that an auditor expresses an inappropriate
(i) The goals of the IAA should be capable of accomplishment within given
between inherent and residual risk across all affected systems. opinion on materially misstated financial statements.
operating plans and budgets and should be measurable to the extent possible.
(3) When identifying key controls (and if RM is mature and 2) Inherent risk is the susceptibility of an assertion about a
3. The Risk-Based Audit Plan reliable), the internal auditor looks for: i) Individual risk factors transaction class, balance, or disclosure to a material
when the reduction from inherent to residual risk is significant misstatement before considering relevant controls.
(a) The Audit Universe (particularly if inherent risk was very high). ii) Controls that
3) Control risk is the risk that internal control will not timely prevent,
mitigate a large number of risks.
(1) Developing the audit plan often follows developing or or detect and correct, a material misstatement of an assertion.
updating the audit universe. 4) Detection risk is the risk that the audit procedures intended to
(g) The following factors affect the internal audit plan: reduce audit risk to an acceptably low level will not detect a
(2) The audit universe (all auditable risk areas) may include 1) Inherent and residual risks. 2) Mitigating controls,
the organization’s strategic plan, all business units, material misstatement. Is also a function of auditing effectiveness
contingency plans, and monitoring activities 3) Risk registers. (achieving results), NOT efficiency.
processes, or operations that can be evaluated and defined.
(h) Management needs to be notified about unacceptable residual risk.
(3) The audit universe should be assessed at least annually.
(i) Internal auditors identify controls with costs exceeding benefits. 4.3 COMMUNICATING AND
(b) The IAA’s Audit Plan (j) Lower-risk audits need to be included in the audit plan to give REPORTING TO SENIOR 1. Communication
them coverage and confirm that their risks have not changed. MANAGEMENT AND THE BOARD & Approval
(1) Is based on 1) The audit universe, 2) Input from
senior management and the board, & 3) Assessed risks. (k) Among the many considerations for judging an item’s risk are the ease with (a) The CAE must communicate the internal audit
(2) Usually is prepared for an annual period. But it might be for a rolling which it can be converted to cash, its accessibility, and its monetary value. activity’s plans and resource requirements, including
12-month cycle or two or more years with annual evaluation (flexible plan). significant interim changes, to senior management and
the board for review and approval. The CAE must also
(3) Includes: 1) A set of proposed assurance and consulting
2. The CAE should communicate information to communicate the impact of resource limitations.
engagements. 2) The basis (reasons) for inclusion of each engagement
(e.g., risk or time elapsed from the most recent audit). 3) The objective
senior management and the board about:
(b) Significant changes in the plan, its basis, or its effects
and scope of each proposed engagement. 4) Projects derived from the must be approved by the board and senior management.
internal audit activity’s strategy. 1) The internal audit charter. 4) Results of audit engagements.
(c) The frequency and content of reporting are:
(4) Focuses on: 2) Organizational independence 5) Results of the quality assurance (1) Determined collaboratively by the CAE, senior
a) Unacceptable current risks requiring management action. of the internal audit activity. & improvement program. management, and the board.
b) Control systems on which the organization is most reliant. 3) Internal audit plans, resource 6) Significant risk and control issues (2) Depends on the importance of the information to be
c) Areas where the difference between inherent risk and residual risk is great. requirements, & performance. & management’s acceptance of risk. communicated and the urgency of the related actions to be
d) Areas where inherent risk is very high. taken by senior management and/or the board.

Summary of CIA Part 2 - Gleim 2023 Page 10 of 23 samehacc1@gmail.com

 1. Engagements 5.3 ENGAGEMENT 1. Engagement Objectives
(a) An engagement is a “specific internal audit assignment, 5.1 ENGAGEMENT PLANNING OBJECTIVES, SCOPE,
(a) After the preliminary survey and risk assessment are
task, or review activity, such as an internal audit, control self- AND CRITERIA
complete, internal auditors establish objectives
assessment review, fraud examination, or consultancy.
(b) The objectives should explain the reasons the activity is
(b) Internal auditors must develop and document a plan 5.2 IDENTIFICATION AND SU5 : ENGAGEMENT being audited, the scope of the engagement, and the
for each engagement, including the engagement’s ASSESSMENT OF KEY RISKS PLANNING, RISK assurances to be provided
objectives, scope, timing, and resource allocations. AND CONTROLS ASSESSMENT, AND (c) Objectives must be established for each engagement
OBJECTIVES (d) Engagement objectives are “broad statements developed by
2. Engagement Planning Considerations 1. Risk Identification
internal auditors that define intended engagement accomplishments”
1) The strategies and objectives of the activity being reviewed. (a) Risk is an event that may impact the business
(e) Objectives for assurance engagements must reflect the results of
objectives of the area or process under review.
2) The significant risks to the activity. the preliminary assessment of risks relevant to the activity under review
(b) During planning, internal auditors must identify key business
3) The adequacy and effectiveness of the activity’s GRC (f) Objectives for consulting engagements must address
risks and controls, especially the client’s inherent risks.
compared to a relevant framework or model. governance, risk management, and control processes to the extent
(c) Internal auditors may conduct brainstorming agreed upon with the client
4) The opportunities for making significant sessions to identify key risks and controls.
improvements to the activity’s GRC. (g) Preliminary objectives of engagements may be based on a)
(d) Internal auditors also may create a risk and control the plan of engagements, b) prior results, c) stakeholder feedback,
5) Resources required and their most effective and efficient use. matrix to identify and assess key risks and controls. and d) the auditee’s mission, vision, and objectives
6) Retention of documents and decisions about requirements & formats. (h) Internal auditors must consider the probability of significant
7) Beginning preparation of the engagement program, with attention 2. Risk Assessment errors, fraud, noncompliance, and other exposures when
to budgets, forms of final communications, & logistical concerns. (a) Internal auditors must conduct a preliminary assessment of developing the engagement objectives
the risks relevant to the activity under review. Engagement
objectives must reflect the results of this assessment. 2. Engagement Scope
8) Planning requires internal auditors to: (a) After establishing risk-based objectives, internal
(b) Internal auditors consider: (1) Management’s assessment of
risks; (2) Its reliability; (3) The process for addressing risk and auditors establish the engagement scope
a) Be aware of the planning and discussions
that preceded development of the plan. control matters; (d) The reporting about, and the responses to, (b) The established scope must be sufficient to achieve the
events exceeding the risk appetite; and e. Risks in related activities. objectives of the engagement
b) Understand any significant organizational changes
since the engagement was included in the annual plan. (c) The internal audit activity must assist the organization in (c) Scope defines “what will and will not be included in the engagement
c) Understand how the entity’s strategies, maintaining effective controls by evaluating their effectiveness
(d) Internal auditors generally consider the following factors, among
objectives, and risks affect the engagement. and efficiency and by promoting continuous improvement.
others, when establishing the engagement scope: a) The boundaries,
d) Management’s current risk assessment. (d) A control framework can help structure the identification & implementation subprocesses, and components of the area or process under review. b)
of appropriate controls. A major source of effective internal control guidance is In-scope versus out-of-scope locations. c) Time frame.
e) The risk assessment made for the plan of engagements.
Internal Control – Integrated Framework published by COSO. (e) The scope of the engagement must include consideration of
f) Prior engagement-level risk assessments.
relevant systems, records, personnel, and physical properties,
g) Prior audit reports. (c) The results of the survey including those under the control of third parties.
are documented and may include:
3. Preliminary Survey 3. Engagement Criteria
a) Significant issues; b) Engagement objectives and procedures; c) Critical
(a) The internal control points, deficiencies, or excess controls; d) Methods, such as those (a) Adequate criteria are needed to evaluate governance, risk
auditors may perform (b) The components of a survey include that are technology-based; and e) Reasons for modifying objectives. management, and controls
a survey to (1)
become familiar with 1) Input from stakeholders (b) Internal auditors must ascertain the extent to which management
1) Checklists (reminder lists) ensure that the auditor has completed necessary tasks.
activities, risks, and 2) Analytical procedures and/or the board has established adequate criteria to determine
controls for the 2) Checklists increase the uniformity of data acquisition. whether objectives and goals have been accomplished. If adequate,
3) Questionnaires internal auditors must use such criteria in their evaluation. If
purpose of identifying 3) Disadvantages of checklists include the following:
areas for engagement 4) Interviews a. Providing a false sense of security that all relevant factors are addressed. inadequate, internal auditors must identify appropriate evaluation
emphasis and (2) 5) Observations b. Inappropriately implying that equal weight is given to each item. criteria through discussion with management and/or the board.
invite comments and c. The difficulty of translating the observation represented by each item. (c) Acceptable industry standards, standards developed by professions or
6) Prior audit reports and
suggestions from d. Treating a checklist as a rote exercise rather than part of a thoughtful associations, standards in law and government regulations, and other
other relevant documentation
stakeholders. understanding of the unique aspects of the audit. sound business practices are usually deemed to be appropriate criteria
7) Process mapping
4) Checklists may be used to control administrative details involved in
8) Checklists (d) The criteria answer the question, ‘What ought to be?’” (Sawyer’s Internal Auditing)
performing the engagement, to prepare for opening & closing conferences, etc.

Summary of CIA Part 2 - Gleim 2023 Page 11 of 23 samehacc1@gmail.com

 SU6 : ENGAGEMENT
1. Engagement Procedures 6.2 ENGAGEMENT
6.1 ENGAGEMENT PROCEDURES, STAFFING, AND STAFF & RESOURCES
(a)Procedures are performed to obtain sufficient, reliable, relevant, PROCEDURES DEVELOPING THE WORK
and useful information to achieve the engagement objectives.
PROGRAM
3. Commonly Used Manual Audit Procedures 1. Resources at the Engagement Level
(b) Persuasion Forms of Evidence
(a) Internal auditors (NOT CAE) must determine appropriate and sufficient
1) Physical Examination is the most persuasive form. 3.1 Inquiry
resources to achieve engagement objectives based on an evaluation of the nature
Inquiry involves asking for information from knowledgeable and complexity of each engagement, time constraints, and available resources.
2) Direct observation is the next most persuasive form.
people within or outside the organization.
3) Information originating from a third party is less persuasive Inquiry may range from informal oral queries and (b) Engagement Resource Allocation is based on:
than information gathered directly by the auditor but more responses to formal written inquiries. Evaluation by the
persuasive than information originating from the client. 1) The number and experience of staff; 2) The knowledge, skills, & competencies
auditor of the responses received is an essential element
of the staff; 3) Training needs; and 4) Whether external resources are required.
4) Information originating with the client can be somewhat of the inquiry processes.
persuasive in documentary form, especially if it is subject to effective Inquiry produces indirect evidence that, by itself, is 2. Audit Staff Schedules
internal control. But client oral testimony is the least persuasive form. typically insufficient, particularly when the respondent is
(a) Audit staff schedules should be prepared to achieve effective use of time.
5) Original documents are more persuasive than copies. inside the organization. Evidence obtained from inquiry
should be corroborated by gathering objective data. (b) All engagements should be under budgetary control. Project budgets and
(c) AICPA Assertions schedules should be developed for each engagement after the preliminary survey.
Types of inquiry: interviews, questionnaires, and surveys.
(c) Budgets are derived by carefully analyzing the time spent
Transactions and Events Account Balances Presentation & Disclosure in the prior year on the same or a comparable engagement.
Assertions 3.2 Observation
(I.S. & Cash Flows) Balance Sheet Notes to the F.S.
Observation involves watching an activity and (d) The CAE reduces excessive budgets, increases insufficient
Occurrence ✓ ✓ budgets, or changes the scope of the engagements.
provides evidence that a process or procedure is
Completeness ✓ ✓ ✓
being performed appropriately at that point in time. (e) Time budgets for engagements are usually
Accuracy ✓ ✓
Observation is effective for verifying whether (a) particular prepared in employee-hours or employee-days.
Cutoff ✓
assets exist or (b) a certain process or procedure is being (f) Time estimates are given to each internal auditor to help with time management.
Classification ✓ ✓
performed appropriately at a moment in time.
Existence ✓ (g) Staff auditors submit periodic time sheets that
Observation provides less persuasive information about the assertions.
Rights & Obligations ✓ ✓ indicate time spent and the status of the job.
Valuation & allocation ✓ ✓
3.3 Inspection (Examining) 1. Is a “document that lists the procedures (methods)
Understandability ✓
a. Inspection involves the examination of records or documents, 6.3 ENGAGEMENT to be followed during an engagement, designed to
(d) Sampling procedures are frequently performed to test a population. achieve the engagement plan.
whether internal or external, in paper form, electronic form, or WORK PROGRAM
(e) Internal auditors should use available other media, or a physical examination of an asset. 2. Internal auditors must develop and document work
information technology (IT), such as GAS & CAAT. b. Inspection of records and documents provides audit evidence of programs that achieve the engagement objectives.
varying degrees of reliability, depending on their nature and source. 7. Pro Forma 3. Must include the procedures for identifying, analyzing,
2. Audit Tests
c. Inspection may provide clear evidence regarding Work Program evaluating, & documenting information during the engagement.
1) Tests of controls test the operating effectiveness of controls in
the existence assertion but not on ownership. 4. The work program must be approved prior to its
preventing, or detecting and correcting, instances of noncompliance. (a) Pro forma or
They are required when a) The auditor’s risk assessment is based on an implementation, and any adjustments approved promptly.
3.4 Vouching standardized work
expectation of the operating effectiveness of controls or b) Substantive program is used for 5. Work programs reflect choices of procedures needed to
procedures alone do not provide sufficient appropriate evidence. b) Vouching tracks a result backward to the originating assess risks and test related controls in the areas reviewed.
repeated engagements
event. Testing for Existence & Occurrence.
2) Substantive procedures are used to detect material misstatements related to similar
6. Materiality relates to the qualitative or quantitative (i.e.,
at the relevant assertion level. They include (a) tests of details and (b) operations.
3.5 Tracing monetary) significance of an item.
substantive analytical procedures.
a) Tracing follows a transaction forward from the triggering (b) Pro forma work program is not appropriate for
event to a resulting event. Testing for Completeness. a complex or changing operating environment.
a) Positive Confirmations: are used when the amounts being confirmed
are material & The recipient is asked to sign and return the letter a) Are evaluations of financial information made by an analysis
with a positive assertion that the amount is either correct or incorrect. 3.6 Confirmations of relationships among financial and nonfinancial data.
b) Negative Confirmations are used when the amounts being confirmed are
b) Are used during the planning phase to determine the nature, extent, and timing of auditing procedures.
immaterial or when controls are deemed to be functioning extremely well. & 3.7 Reperformance (Recalculation)
the recipients will complain only if they have a dispute with the amount. c) Include (1) analysis of common-size financial statements, (2) ratio analysis, (3) trend
analysis, (4) analysis of future-oriented information, and (5) internal & external benchmarking.
a) Consists of duplicating the client’s work and comparing the results. 3.8 Analytical Procedures d) Scanning is a use of professional judgment to review accounting data to identify significant or unusual
items to test. For example, an internal auditor might scan the warehouse for damaged or obsolete inventory.

Summary of CIA Part 2 - Gleim 2023 Page 12 of 23 samehacc1@gmail.com

1. Determining whether information is adequate for the internal auditor’s
purposes is a matter of professional judgment that depends on 1. The particular 7.1 THE FOUR QUALITIES 1. Internal Control
7.3 QUESTIONNAIRES a) Uses of an internal control questionnaire
situation & 2. The internal auditor’s training, experience, and other personal traits. OF INFORMATION Questionnaires
2. Internal auditors must identify sufficient, reliable, relevant, 1) To obtain an understanding of the client’s internal controls.
and useful information to achieve the engagement’s objectives. 2) Filling out the questionnaire while interviewing the person in charge.
3. Limitations: 3) Drafting the questionnaire so that a “no” response requires attention.
1) Sufficient Sequence & Format
3. Types Of 4) Supplementing the completed questionnaire with a narrative description or flowchart
a) Sufficient information is factual, adequate, and convincing so that a
prudent, informed person would reach the same conclusions as the auditor. Information a) The sequence & format of questions
have many effects on responses. b) Disadvantages of questionnaires
b) The conclusions reached should be those of a prudent, informed person.
b) To reduce these effects; use 2. Pre-Interview Questionnaires
c) A synonym for “reliable” is “competent.” questionnaire variations. (formal questionnaires) 1) They are difficult to prepare.

c) Questions should be in a logical 2) They are time-consuming to administer.

2) Reliable a) Involves the engagement client’s
order, and personal questions employees & minimizes their anxiety. 3) Engagement clients may anticipate the preferred
a) Reliable information is the best attainable information through the use should be asked last.
of appropriate engagement techniques. responses and therefore may be deceitful.
b) Provides an opportunity for
engagement client self-evaluation. 4) Not all circumstances can be addressed.
b) Information is reliable when it is obtained and documented so that a prudent, SU7 :
informed individual can produce the same results and draw the same conclusions. c) May result in a more economical 5) Requiring management to fill out a questionnaire
INFORMATION engagement. is less effective than the auditor completing a
3) Relevant GATHERING questionnaire during a face-to-face interview.
a) Relevant information supports engagement observations and
recommendations and is consistent with the objectives for the engagement. 1) If engagement observations are negative, the client has a reason to push
e) Other Considerations back by finding flaws in the internal auditor’s information and reasoning.
b) Relevant information has a logical relationship to what it is offered to prove.
2) Agreement with positive observations may represent
4) Useful If the client provides the internal client self-interest rather than useful feedback.
auditor with incomplete information ,
a) Useful information helps the organization meet its goals. 7.2 SOURCES AND
the internal auditor should (a) Perform 1) An auditor’s physical examination provides the most persuasive form of evidence.
NATURE OF INFORMATION the analysis, (b) Assess the effects of
1) External information 2) Direct observation by the auditor is the next most persuasive.
the incomplete information, and (c)
a) External information is created by an independent Disclaim any assertion regarding the 3) Information originating from a third party is less persuasive than
party and transmitted directly to the internal auditor. 1. Sources of information’s reliability. information gathered by the auditor but more persuasive than information
External information is regarded as the most reliable. Information originating from the client.

b) Example: confirmations of receivables sent d) Incomplete Information 4) Information originating with the client can be somewhat persuasive in
in response to the internal auditor’s requests documentary form. But client oral testimony is the least persuasive of all.
2. Nature of
Information
2) Internal information
c) Levels of Persuasiveness of Evidence
a) Originates and remains with the engagement client.
a) Forms of Legal Evidence
b) Example: Payroll records b) Forms of Audit Evidence
1) Conclusive evidence is absolute proof, by itself.
Example: The classic example is that of a watch in the desert. (in order of strength)
3) External-internal information
2) Direct evidence establishes a particular fact or 1) Physical information consists of the internal auditor’s direct observation
a) Is created by an external party but subsequently processed by the client. conclusion without having to make any assumptions. and inspection. When physical observation is the only information about a
b) Example: Suppliers’ invoices Example: Testimony by a witness to an event. significant condition, at least two internal auditors should view it.
3) Corroborative evidence serves to confirm a fact or conclusion 2) Documentary information exists in some permanent form, such as
4) Internal-external information that can be inferred from other evidence. checks, invoices, shipping records, receiving reports, and purchase orders.
a) originates with the client but also is processed by an external party. Example: an employee who claims to have been working late on a
certain night. A member of the building custodial staff can provide 3) Analytical information is drawn from the consideration of the
b) Example: canceled checks interrelationships among data or, in the case of internal control,
corroborating evidence that this employee was seen in the office.
the particular policies and procedures of which it is composed.
5) Outsourcing services 4) Circumstantial evidence establishes a fact or conclusion
that can then lead by inference to another fact. 4) Testimonial information consists of written or spoken
a) Outsourcing services, such as clerical, accounting, and internal audit statements of client personnel and others in response to
Example, the analysis of accounts receivable shows that there
services, may result in information difficult to classify in this framework. inquiries or interview questions.
is a large increase in the current year’s accounts receivable
versus last year. Then the sales inflation may be exist.

Summary of CIA Part 2 - Gleim 2023 Page 13 of 23 samehacc1@gmail.com

1) The main purpose of interviews is to gather facts related to the audit
engagement.
7. Basic Communications Theory SU7 : INFORMATION
2) Interviewing and other data-gathering activities are usually performed
1) A sender transmits an idea through a message. GATHERING
during the preliminary survey phase of an audit engagement. 1. General
3) Interviews obtain testimonial evidence from engagement client. 2) This message is encoded in a writing, in an oral
statement, or in body language. 7.5 OTHER INFORMATION
4) People tend to be less careful in their responses if the interview is one-to-one.
7.4 INTERVIEWING 3) The encoded message is transmitted through a GATHERING METHODS
5) An interview is a secure and personal form compared with email or
channel or medium to a receiver. 1) Observation is looking at
paper-based documents. 1. Observation
4) The receiver decodes the message and interprets the message. a process or procedure
6) Interviews should not be recorded without client consent. being performed
5) The receiver may then undertake action or respond to the message.
1) People dislike being evaluated. 2) Observation is most persuasive for the
6) The words or actions of the receiver provide feedback to the sender. existence or occurrence assertion & less
2) Clients may resent even the most constructive criticism and for the completeness assertion
fear the possible adverse consequences of an audit report. 2. Dislike of 7) Nonverbal communication (influenced by culture) is much less precise
than verbal communication. However, in some cases, it may convey more 3) Observation is limited because employees
3) The internal auditor must gain the confidence of clients by demonstrating Evaluation who know they are being observed may behave
information than verbal communication. But it is not necessarily more truthful.
self-assurance, persuasiveness, fairness, empathy, and competence. differently while being observed. Accordingly,
4) The internal auditor must avoid over-criticism especially unobtrusive measures may be preferable.
8. Conducting the Interview
the minor matters. This may alienate engagement clients 4) Lack of experimental control & measurement
and management and not be cost beneficial. 1) The interviewer should be tactful, objective, precision are other limitations of observation.
reasonable, interested, and avoid an accusatory tone.
1) A preliminary interview is used to a) Promote the value of internal
2) The interview should follow the agenda developed in the 2. Internal Surveys
auditing, b) Understand the interviewee, c) Gather general information,
planning phase. Nevertheless, the interviewer should be flexible.
and d) Serve as a basis for planning future interview strategies.
Mail questionnaires are relatively cheap, eliminate
2) A fact-gathering interview is oriented to the specific 3) Active (effective) listening includes observing interviewee
interviewer bias, and gather large amounts of
details that can be provided by a particular interviewee. 3. Four Types of behavior (body language), reserving judgment about what is said,
data. However, they tend to be inflexible, have a
Interviews asking clarifying questions, and allowing for periods of silence.
3) A follow-up interview is intended to answer questions raised slow response time, and have nonresponse bias.
during the analysis of the fact-gathering interview. 4) Anticipation is one approach the interviewer can use to maintain focus
Telephone interviews are a flexible means of
during a far-ranging discussion. Active listening permits anticipation.
4) An exit interview helps to ensure the accuracy of conclusions, obtaining data rapidly and controlling the sample.
findings, and recommendations in the final engagement communication. However, they introduce interviewer bias, are more
9. What Should Be Avoided costly, and gather less data than mail surveys.
1) Prepare for the interview by reading operations manuals, organizational 4. Planning an
charts, prior engagement communications, results of questionnaires, etc. 1) Leading questions (questions suggesting the answer) should be avoided.
Interview
2) The auditor should understand not only the engagement client’s functions, 2) Loaded questions (questions with self-incriminating answers) also should be avoided.
procedures, and terminology but also the psychological traits of auditee managers. 3) Questions requiring an explanatory response are usually preferable to those with binary (yes or no) responses.
3) The auditor should design basic questions by using a) a directive approach 4) An interviewer should be suspicious of answers that (1) are too smoothly stated, (2) fit too neatly with the
emphasizing narrowly focused questions or/and b) a nondirective approach using interviewer’s own preconceptions, (3) consist of generalizations, or (4) contain unfamiliar technical terminology.
broad questions that are more likely to provide clarification and to result in 5) Care should be taken to differentiate statements of fact from statements of opinion.
unexpected observations.
6) Debate and disagreement with the interviewee should be avoided.
1) Except when surprise is needed, an appointment should
7) The interviewee should not feel pressured or coerced during the interview.
be made well in advance for a specific time and place.
2) The meeting should be in the engagement client’s office, if feasible. 5. Scheduling
Interviews 10. Documentation
3) If possible, interviews should not be scheduled very late in the
1) Notes during the interview should be sufficiently readable and thorough to permit a full reconstruction of the information gathered.
day, just before or after a vacation, or just before or after a meal.
2) The interviewee should be informed about the need for note taking.
1) The auditor should be on time, and prompt notice
should be given if delay is unavoidable. 3) Notes should be properly dated and labeled, and the names and positions of interviewees should be included.

2) Brief pleasantries may put the engagement client at ease. 4) The amount of time spent not looking at the interviewee should be minimized, and questions should not be asked while jotting notes.
6. Opening the
3) The purpose of the interview should be explained 5) The notes and the memorandum prepared with their help are part of the workpapers and the documentation.
Interview
(unless it is a fraud engagement). 6) The memorandum should include significant events during the interview, such as interruptions or emotional outbursts.
4) The auditor should be polite, helpful, and nonthreatening.
The internal auditor should consider whether objectives were appropriate, whether they were attained, and, if not, why not. (S)he
5) Confidentiality should be assured, if feasible. 11. Evaluation should also consider whether the planning was efficient, the interviewee was cooperative, and the interviewer made errors.

Summary of CIA Part 2 - Gleim 2023 Page 14 of 23 samehacc1@gmail.com

1) A population is the entire group of items of 1) uses the auditor’s subjective judgment to 1) provides an objective method of determining
1. Populations and Samples determine the sample size and selecting the items to sample size and selecting the items to be
interest (all purchase invoices; items of inventory ...)
be examined. examined.
2) Sampling involves selecting representative items from a population,
examining those selected items, and drawing a conclusion about the population 2) The auditor, based on his or her experience, is
based on the results derived from the examination of the selected items. able to select and test only the items (s)he considers 2) Provides a means of quantitatively assessing
to be the most important. precision and confidence level.
3) The main issue in sampling is choosing a sample that is representative of the population
to enable valid and statistically justifiable conclusions to be stated about the population. 3) Advantages: a) The process can be less 3) Advantages:
expensive and less time consuming. b) No special a) Provides a quantitative measure of sampling risk,
knowledge of statistics and no special statistics confidence level, precision and quantitative
2. Population Distributions & Types of Sampling software are required. c) The auditor has greater expression of sample results.
discretion to use his or her judgment and expertise. b) Helps the auditor to design an efficient sample.
1. Population Distributions
3) Disadvantages: a) Does not provide a quantitative 3) Disadvantages: a) It can be more expensive
1) Each item in a population is associated with a variable of interest to the auditor. measure of sampling risk and quantitative expression and time consuming than nonstatistical sampling.
of sample results. b) If the auditor is not proficient, b) It requires special statistical knowledge and
2) An important characteristic of a population is the the sample may not be effective. training. c) It requires statistical software.
distribution of the values of the variable of interest.
3) The Normal Distribution (the bell curve) is one of the many types of distribution.
1) Nonstatistical (Judgmental)
Its values form a symmetrical, bell-shaped curve centered around the mean. 1. Approaches 2) Statistical Sampling
Sampling

2. Types of Sampling 1) Determine the plan objectives 5) Select the sampling approach
1) Attribute sampling is used to test the discrete variables, such as
2) Define the population 6) Take the sample
whether invoice payments were or were not appropriately authorized.
2. Nonsampling vs. Sampling Risk
2) Variables sampling is used to test the continuous variables, 3) Determine acceptable 7) Evaluate the sample results
such as the monetary amounts of accounts receivable. levels of sampling risk 1) Detection risk: The risk that audit procedures may fail to
8) Document the sampling
4) Calculate the sample size detect an issue in the population being audited. Detection
procedures
3. Measures of Central Tendency risk is comprised of nonsampling risk and sampling risk.

4. Basic Steps in a Statistical Plan 2) Nonsampling risk is detection risk not related to
1) The shape, height, and width of a population’s distribution curve are sampling (failure to recognize an error in a sample).
quantified through its measures of central tendency.
3) Sampling risk is the risk that a sample is not
2) The mean is the arithmetic average of a set of numbers. SU8 : SAMPLING AND representative of the population (may result in an incorrect
3) The median is the middle value if data are arranged in numerical order. STATISTICAL QUALITY conclusion). c) Is inversely related to sample size. If the
CONTROL sample size “, sampling risk ”.
4) The mode is the most frequently occurring value. If all values are
unique, no mode exists. 4) Audit risk is the risk of expressing an inappropriate audit
opinion when the financial statements are materially
5) In a normal distribution, the mean, median, and mode are the 8.1 STATISTICAL 8.2 SAMPLING misstated.
same, and the tails are identical. CONCEPTS CONCEPTS
6) In some asymmetrical frequency distributions, the mean is 5) Nondetection of an error in a sample can be caused by
greater than the mode. The right tail is longer, and the distribution auditor inattention, fatigue, misinterpretation of audit
is positively skewed (to the right). evidence, or application of an inappropriate audit procedure,
5. Confidence Level & Confidence Interval
7) In some asymmetrical frequency distributions, the median is 6) Statistical sampling: a) allows to quantify sampling risk.
greater than the mean. 1) The confidence level is the b) An auditor should never attempt to quantify the sampling
percentage of times that a sample is risk of a nonstatistically drawn sample.
8) The median is the best estimate of central tendency for many
expected to be representative of the
asymmetrical distributions because the median is not biased by extremes. 1) Random sample, every item in the population has an equal
population. The confidence level is the
auditor’s desired reliability of the sample. and nonzero chance (probability) of being selected.
4. Standard Deviation and Confidence Level for Normal Distributions 2) A confidence interval (precision) for a 3. Selecting 2) Interval (systematic) sampling plan assumes that items are arranged randomly
given confidence level is the range the Statistical in the population. If they are not, a random selection method should be used.
1) The standard deviation measures the variability within a population. The standard
around a sample value that is expected Sampling 3) Block (cluster) sampling randomly selects groups of items as the sampling
deviation is a measure of the dispersion of a set of data from its mean. When the
to contain the true population value. Approach units rather than individual items. The primary objective of stratification is to
items have little dispersion, the standard deviation is small, and vice versa.
If the sample size “, the confidence interval ” minimize variability. Stratification also allows the auditor to apply more audit
2) Normal distributions have many fixed relationships between the area under the effort to larger elements or more risky parts of the population.
curve (Confidence Level) and the distance from the mean (Confidence Coefficient). If the confidence level “, the confidence interval “

Summary of CIA Part 2 - Gleim 2023 Page 15 of 23 samehacc1@gmail.com

1. Each item in the population has an attribute of interest, such as 1. Is used for measurements, such as weights or monetary amounts.
evidence of proper authorization. (Discrete Variables) SU8 : SAMPLING AND (continuous variables)

2. Is useful for tests of controls. STATISTICAL QUALITY 2. Is useful for substantive tests.
CONTROL 3. Provides information about whether a stated amount (e.g., the
3. When two outcomes are possible (compliance or noncompliance).
balance of accounts receivable) is materially misstated.

1) Confidence level: is the percentage of times that a sample is expected to be 8.3 ATTRIBUTE 8.4 VARIABLES 1) Confidence level: is the percentage of times that a sample is expected to be
representative of the population. SAMPLING SAMPLING representative of the population.
If The desired confidence level “, The sample size “, efficiency ”, effectiveness “. If The desired confidence level “, The sample size “, efficiency ”, effectiveness “.
The confidence level is the complement of the allowable/acceptable risk of The confidence level is the complement of the allowable/acceptable risk of
overreliance on the control. (1 - % allowable risk) incorrect rejection. (1 - % allowable risk)
2) The population size: is the sum of the items to be considered for testing. 2) The population size: is the sum of the items to be considered for testing.
If The population size “, The sample size “, efficiency ”, effectiveness “. If The population size “, The sample size “. But above certain population
But above certain population size, the sample size does not increase. size, the sample size generally does not increase.
4. Sample Size 4. Sample Size
3) The expected deviation rate (expected rate of occurrence): is an estimate Based on 4 Factors Based on 4 Factors 3) The estimated standard deviation (variability) of the population: is a measure
of the deviation rate in the current population. of the variability of the amounts in the population. (can be based on a pilot sample).
If the population deviation (variability in the population) “, the sample size “. If the estimated standard deviation “, the sample size“ .
4) The tolerable deviation rate (desired precision): is the highest allowable 4) Tolerable misstatement (desired precision): is an interval around the
percentage of the population that can be in error (noncompliance rate) and sample statistic that is expected to include the true balance of the population
still allow the auditor to rely on the tested control. at the specific confidence level.
If tolerable deviation rate ”, the sample size “, efficiency ”, effectiveness “. If the precision ” , the sample size “.
5. If the expected deviation rate > the tolerable deviation rate, the test of the control If the variability “, the sample size “.
should be omitted and the auditor should not rely on the effectiveness of the control, and vice versa.
5. Important Determinants of If the decision sensitivity to estimate errors “, the sample size “.
1) The sample deviation rate = the number of deviations observed in a sample ÷ Sample Size
the sample size. This rate is the best estimate of the population deviation rate If the cost per observation “, the sample size ”.

2) The achieved upper deviation limit (UDL) is based on the sample size & the
number of deviations discovered. Auditors use standard tables to calculate the UDL. 6. Primary Methods of Variables Sampling
3) The allowance for sampling risk (achieved precision) = the achieved UDL
determined from a standard table (-) the sample deviation rate. (1) Unstratified Mean-Per-Unit (MPU) Estimation: averages the audited amounts of the sample items. Steps:
1) Calculate the average amount per sampled item (The total amount of audited items ÷ number of items in the sample).
4) If the sample deviation rate > the expected population deviation rate, the
2) Estimate the correct amount of the population (the average per sampled item × the number of items in the population).
achieved UDL exceeds the tolerable rate at the given risk of overreliance. In that 6. Evaluation of Sample 3) Calculate an achieved precision at the desired level of confidence (the last step × % of precision).
case, the sample does not support the planned reliance on the control. Results
(2) Stratified MPU Estimation:
5) Each deviation should be analyzed to determine its nature, importance, and Is a means of increasing audit efficiency by separating the population into logical groups, then the variability within each
probable cause. is reduced, allowing for a smaller overall sample size.

6) The possible combinations of the sample results & the true state of the population (3) Difference Estimation: estimates the misstatement of an amount. This method is appropriate for nonproportional
differences & only when per-item recorded amounts for items in the sample and their total are known. Steps:
True State of Population 1) Difference between the audited (result of test) and recorded amounts of items in the sample,
Auditor’s Estimate Based Deviation rate is less Deviation rate 2) Calculate the mean difference (difference in step 1 ÷ number sample items).
on Sample Results than tolerable rate. exceeds tolerable rate. 3) The estimated total population error (the mean × the number of items in the population)
III. Incorrect 4) Calculate an achieved precision at the desired level of confidence (the last step × % of precision).
Deviation rate is less
I. Correct Overreliance on internal control
than tolerable rate.
& Results in audit failure (4) Ratio Estimation: estimates the population misstatement & appropriate for proportional differences. Steps:
II. Incorrect 1) Calculate this ratio (the total audited amount of the sample items ÷ total recorded amount of the sample).
Deviation rate exceeds 2) Calculate the estimated correct balance of the population (the recorded amount of the population × the ratio in the
Underreliance on internal control & IV. Correct
tolerable rate.
affects the efficiency NOT effectiveness last step).
3) Calculate an achieved precision at the desired level of confidence (the last step × % of precision).
1) Discovery sampling: is appropriate when even a single deviation
(noncompliance) is critical. The occurrence rate is assumed to be at or near 0%. (5) Monetary-Unit Sampling (MUS), also known as probability-proportional-to-size (PPS) sampling, uses a
The sample size (fixed) is calculated so that it will include at least one instance of monetary unit as the sampling unit. It applies attribute sampling methods to reach a conclusion about the
a deviation if deviations occur in the population at a given rate. 7. Other Attribute probability of overstating monetary amounts. The sampling unit is a unit of money. MUS is most useful if few
Sampling Methods misstatements are expected and overstatements are more likely than understatements..
2) Stop-or-go sampling (sequential sampling) is used to reduce the sample size
(not fixed) when the auditor believes the deviation rate in the population is low.

Summary of CIA Part 2 - Gleim 2023 Page 16 of 23 samehacc1@gmail.com

 1. Statistical quality control determines whether a shipment or
SU8 : SAMPLING AND production run of units lies within acceptable limits. Items are either
8.4 VARIABLES
6. Characteristics of Variables and Attribute Sampling Methods STATISTICAL QUALITY good or bad, i.e., inside or outside of control limits. It is also used to
SAMPLING (Cont.) determine whether production processes are out of control.
CONTROL
2. Acceptance sampling determines the probability that the
Methods of Sampling Characteristics
8.5 STATISTICAL rate of defective items in a batch is less than a specified level.
QUALITY CONTROL
(1) Unstratified Mean-Per- ● Less efficient than ratio estimation when a high error rate is expected. 3. Statistical Control Charts
Unit (MPU) Estimation ● Inappropriate when many small balance account errors exist.
a) Are graphic aids for monitoring the status of any process subject
to acceptable or unacceptable variations during repeated operations.
● Less efficient than ratio estimation when a high error rate is expected.
● Inappropriate when many small balance account errors exist.
(2) Stratified MPU ● Greater emphasis on larger or more important items. b) Types of Charts
Estimation ● Increases audit efficiency by separating the population into logical groups
1) Control Chart: (applies to products) consists of three lines plotted on a
(subpopulations).
horizontal time scale. The center line represents the overall mean or average
● Variability within a stratum is reduced. Thus, sample size is reduced. range for the process being controlled. The other two lines are the upper
● Used when sampling for monetary values. control limit (UCL) and the lower control limit (LCL). If the value falls outside
● Individual carrying amounts must be known to use difference estimation. the limits, the result is abnormal, the process is considered out of control,
and an investigation is made for possible corrective action. An advantage
Variables Sampling

● Sufficient misstatements must exist to generate a reliable sample.

(3) Difference Estimation of the chart is that it makes trends and cycles visible. A disadvantage of the
● Reliable and efficient when small errors predominate and the errors are not skewed.
chart is that it does not indicate the cause of the variation.
● If the number of errors is small, a very large sample is required to provide a
representative difference between audit and recorded amounts. 2) P charts: show the percentage of defects in a sample. They are based on
an attribute (acceptable/not acceptable) rather than a measure of a variable.
● More efficient than mean-per-unit when a high error rate is expected.
3) C charts: also are attribute control charts. They show defects per item.
● Reliable and efficient when small errors predominate and the errors are not skewed.
● Audit amounts should be proportional to carrying amounts. 4) R chart: shows the range of dispersion of a variable, such as size
● Appropriate for proportional differences. or weight. The center line is the overall mean.
(4) Ratio estimation
● If the number of errors is small, a very large sample is required to provide a 5) X-bar chart: shows the sample mean for a variable. The center line
representative difference between audit and recorded amounts. is the average range.
● A minimum number of differences must be present to use ratio estimation.
6) Pareto diagram: is a bar chart that ranks the occurrences of the
● Proportional relationships and differences support the use of ratio estimation. independent variable from highest to lowest value, and assists managers in
what is commonly called 80:20 analysis. The 80:20 rule states that 80% of all
(5) Monetary-unit ● Less accurate when many errors are expected. effects are the result of only 20% of all causes. For quality control, managers
sampling (MUS), also ● Estimates monetary amounts of errors when the expected error frequency is low. optimize their time by focusing their effort on the sources of most problems.
known as probability- ● Because the sampling unit is the monetary unit, this method increases the likelihood 7) Histogram: displays a continuous frequency distribution of the
proportional-to-size (PPS) of selecting large items. independent variable in the form of a bar graph.
sampling ● A measure of variability is not needed.
8) Fishbone (Ishikawa) diagram: (also called a cause-and-effect diagram) is a
total quality management process improvement technique. Fishbone diagrams
● Not used to estimate a monetary amount.
are useful in studying causation (why the actual and desired situations differ),
Attribute Sampling ● Used for applications involving binary (yes/no or right/wrong) propositions.
and for determining the unknown causes of problems
● Turnover volume is a characteristic of interest in attribute sampling.
4. Causes of Variations in a Process Parameter
a) Establishing control limits based on benchmarks is a common method. A more objective method is to use the concept of expected 5. Benchmarks
value. The limits are important because they are the decision criteria for determining whether a deviation will be investigated. 1) Random variations occur by chance. Present in virtually all processes, they are
not correctable because they will not repeat themselves in the same manner.
2) Implementation deviations occur because of human or mechanical failure to
a) An analysis using expected value provides a more objective basis for setting control limits. The limits of controls
6. Cost-Benefit Analysis achieve target results.
should be set so that the cost of an investigation is less than or equal to the benefits derived.
3) Measurement variations result from errors in the measurements of actual results.
b) Total expected cost =
[(Probability of being out of control × Cost of corrective action) + (Probability of being in control × Investigation cost)]. 4) Model fluctuations can be caused by errors in the formulation of a
decision model.
c) The expected value of benefits = (the probability of being out of control × the cost of not being corrected).
5) Prediction variances result from errors in forecasting data
used in a decision model.

Summary of CIA Part 2 - Gleim 2023 Page 17 of 23 samehacc1@gmail.com

1. Internal auditors should use available information technology (IT) to assist 1) Are graphical representations of the step-by-step progression of 1) Sometimes called “system flowcharts”, depict areas of
in performing audit work more efficiently and effectively. The benefits of information through preparation, authorization, flow, storage, etc. The responsibility (departments or functions) arranged horizontally
using IT include a) Reduced audit risk. b) Increased productivity, resulting in system depicted may be manual, computerized, or a combination of the two. across the page in vertical columns, and focus the assignment
more timely audit engagements. c) Increased audit opportunities of duties and independent checks on performance.
2) Allows to analyze a system and to identify the strengths and weaknesses 5) Horizontal
Flowcharts 2) Provide a summary-level description of a complex new
2) Computer-Assisted Audit Techniques (CAATs) of internal controls and the appropriate areas of audit emphasis.
computer system. The normal sequence of documents and
a) Are computerized management tools which used to perform audit 3) Is used during the preliminary survey to gain an understanding operations on a well-prepared systems flowchart is Top to
procedures and document results and to manage audit functions in of the client’s processes and controls. bottom and left to right.
both large public accounting firms (use proprietary software) and
1) Sometimes called “program flowcharts”, present
smaller firms/internal auditors (use off-the-shelf software). Start/End
successive steps in a top-to-bottom format, and
Database/ Decision
Document/ 6) Vertical usually designed to provide for written descriptions.
3. Advantages of CAATs Include: Report Data File
Flowcharts 2) Identify the specific edit tests implemented.
1) Direct access to the entity’s complete database (rather than sampling) On-page
Process reference 1) A process map is the pictorial representation or
4) narrative description of a client process.
2) Digital searches for certain types of records, items, etc. Manual Input
Symbols 2. Process During the preliminary survey, reviewing the
Manual
3) Use of predictive models to identify high-risk areas Operation Adding Off-line Mapping process map aids the internal auditor in assessing the
Machine storage efficiency of processes and controls.
4) Financial reports that are integrated with spreadsheet routines
Input/ Tape
5) Analyses illustrated with graphs and other pictorial displays Output 1) Is a sequential description of the inputs, process
3. Narrative steps, and outputs of a process. A process narrative is a
6) File access and file reorganization tool that can be used alongside or instead of a flowchart.
SU9 : ANALYSIS,
4. Common Audit Tasks Performed by CAATs 2) Narratives should be used only for simple processes.
EVALUATION,
a) Aging, Duplicate identification, Exportation, Data mining and DOCUMENTATION, 1. Flowcharts 1) Data flow diagrams have no symbols for output,
extraction, Gap identification, Joining and merging, Sampling, & SUPERVISION and show how data flow to, from, and within an
Sorting, Stratification, Summarization, and Calculating totals. 4. Data Flow information system and the processes that manipulate
Diagrams the data. A data flow diagram can be used to depict
5. Using CAATs To Identify Fraud Include 9.1 COMPUTERIZED 9.2 FLOWCHARTS AND lower-level details as well as higher-level processes.
AUDIT TOOLS PROCESS MAPPING
1) Analyzing the payroll file to identify identical addresses
5. A block diagram
2) Matching vendor addresses to employee addresses 2) Code comparison: Software compares source code with object code to
detect unauthorized program changes or analyze unexecuted code. 1) Is similar to a process map in that it is used to depict a
3) Identifying transactions recorded at times outside normal working hours
3) Test data: Creating dummy transactions tests controls (test only one transaction for process in diagram form. It is easier to create and understand
4) Identifying debits to accounts normally credited and vice versa because it does not require knowledge of different symbols.
each valid and invalid condition that interests the auditor) against expected results by
5) Matching sales shipping addresses to employee addresses the client’s computer programs under the auditor’s control. An advantage is that it directly
tests the controls. A disadvantage is that processing is tested at only one moment in time. 6. A spaghetti map

6. Computer Audit Tools 4) Embedded audit modules: It is designed to identify and report actual transactions and 1) Depicts the flow of people, material, and information from
other information that meet criteria having audit significance (suitable for data processing the first to last steps of a process. It highlights the number
1) Generalized Audit Software (GAS) in only in electronic form). An advantage is that it permits continuous monitoring of of key steps and spatial relationships of a particular process
online, real-time systems. A disadvantage is that audit hooks must be programmed into by tracing each step of the process. The goal is to identify
a) Using GAS, the auditor loads a copy of the client’s production data onto the operating system and application programs to permit insertion of audit modules. the inefficiencies in a process, eliminate the superfluous
the auditor’s own computer to perform various analytical procedures to steps, and create more streamlined process paths.
identify anomalies, errors, and omissions.. 5) Expert systems: Using software to automate the knowledge and logic
of experts helps an auditor with decision making and risk analysis. 7. RACI diagram
b) GAS is useful for both tests of controls and substantive procedures.
6) Artificial Intelligence (AI): AI computer software is designed to perceive,
c) Two GAS packages are ACL (Audit Command Language) and IDEA reason, learn, and understand in order to make decisions related to audit tasks. 1) Is used to clarify decision-making assignments in cross-
(Interactive Data Extraction and Analysis). Independent auditors often use functional or departmental projects and processes.
IDEA, because it can be adapted to many client environments (especially 7) Parallel simulation: An auditor-developed program, not the client’s program,
in a largely IT environment). is used to reprocess client data (only real, not fictitious, transactions) 2) R – Responsible: A person who is responsible for
throughout the period and compare the output with the client’s output. performing the particular task. A – Accountable. A person
d) A detailed knowledge of the client’s system is unnecessary because a who is the final decision maker and is ultimately accountable
(GAS) package is designed to process data files from almost any platform. 8) Integrated Test Facility (ITF) / minicompany technique: The auditor creates for the task. C – Consulted: A person who must be
a coded fictitious entity (a department, vendor, employee, or product) on the consulted before completing the task or making a decision.
e) A limitation on the use of (GAS) It can only be used on hardware with client’s live production system (real transactions). The fictitious entries should I – Informed: A person who is informed after a decision is
compatible operating systems. be identified and reversed to avoid contamination of control totals. made or when the task is completed.

Summary of CIA Part 2 - Gleim 2023 Page 18 of 23 samehacc1@gmail.com

1. Internal auditors must base conclusions and engagement
1. Internal auditors must document (using workpapers) 8. Indexing
results on appropriate analyses and evaluations.
sufficient, reliable, relevant, and useful information to support
2. Analysis and evaluation are required to some extent in (a) the engagement process from planning to drawing conclusions. 1) Indexing permits cross-referencing. It is important because it
notating engagements, (b) planning the engagement, (c) developing simplifies supervisory review either during the engagement or
the work program, and (d) performing procedures. 2. Engagement Workpapers subsequently, and facilitates the factual rebuttal of challenges by
clearly identifying sources and locations of facts.
1) Workpapers record information generated throughout the
3. Analytical Procedures engagement process, including planning, testing, analyzing, 2) Indexing facilitates preparation of final engagement
1) The premise of analytical procedures is that certain relationships and evaluating data and formulating engagement results communications, later engagements for the same client,
among different kinds of information, such as direct correlations, are and conclusions. Workpapers are often digital. and internal and external assessments of the IAA.
reasonably expected to continue unless invalidated by known conditions.
2) Are useful in identifying (1) unexpected differences, (2) the absence of 3. Uses of Workpapers 9. Review
differences when they are expected, (3) potential errors, (4) potential fraud 1) Aid in the planning, performance, and review of engagements
or illegal acts, or (5) other unusual or nonrecurring transactions or events. 1) Each workpaper must, at a minimum, identify the engagement and
2) Provide the principal support for engagement results describe the contents or purpose of the workpaper, for example, in the
3) Any significant variances from auditor-developed expectations 3) Document whether engagement objectives were achieved heading. They should also be: Signed (initialed) and dated and
should be investigated (including validating management contain an index or reference number. Neat, not crowded, and written
responses). Matters that cannot be explained may require follow-up 4) Support the accuracy and completeness of the work performed on only one side. Uniform in size and appearance. Economical,
and possible communication to senior management and the board. avoiding unnecessary copying, listing, or scheduling. Arranged in a
5) Provide a basis for the internal audit activity’s
quality assurance and improvement program logical and uniform style. Clear, concise, and complete.
4. Internal auditors’ Considerations While Using Analytical Procedures 6) Facilitate third-party review 2) Workpapers should document such matters as how sampling
(1) Significance of the area being examined, populations were defined and how statistical samples were selected.
4. Uniformity 3) Verification symbols (tick marks) are likely to appear on most
(2) Assessment of risk management in the audited area,
1) Consistency should be maintained within the internal audit workpapers and should be explained.
(3) Adequacy of the internal control system,
activity to permit sharing of information and coordination of
9.3 ANALYTICAL
(4) Availability and reliability of financial and activities. This can be accomplished by using (1) A standardized,
REVIEW TECHNIQUES flexible workpaper template and (2) Audit software. 10. Summaries
nonfinancial information,
(5) Precision with which the results of
analytical audit procedures can be predicted, 1) Summaries distill the most useful and relevant information
SU9 : ANALYSIS, from several workpapers into a more readily usable format,
(6) Availability and comparability of information regarding 9.4 WORKPAPERS - PURPOSE e.g., the draft audit report. A statistical summary condenses the
the industry in which the organization operates, and EVALUATION, AND CHARACTERISTICS related numerical information from engagement work programs.
(7) Extent to which other procedures provide evidence.
DOCUMENTATION,
& SUPERVISION
5. Responsibility 11. Permanent Workpapers
5. Examples of Analytical Procedures:
1) The CAE should establish policies and procedures
1) Permanent workpapers were carried forward to each audit
Period-to-period analysis Compares data from similar time periods. This for workpapers for different engagements.
and retained relevant, reusable information that would assist the
analysis can be enhanced by using percentages, which can indicate the audit team during the audit. Auditors still need to work with the
significance of the difference between data points. This approach is especially auditees to confirm that the information is correct and update
informative in seasonal industries, such as retailing and agriculture. 6. Characteristics
the carry-forward information where necessary.
Trend analysis compares changes in data over time and can provide greater context 1) Workpapers support the requirement for internal
than a period-to-period analysis. By covering a wider time frame, trend analysis auditors to identify sufficient, reliable, relevant, and
reveals changes that might otherwise be overlooked and helps identify anomalies. useful information, including objectives, 12. Computerized Workpapers
observations, conclusions, and recommendations.
Ratio analysis can provide additional insight by expressing related financial data in
nonfinancial calculations, such as percentages, multiples, or periods. These 1) Advantages of Electronic Workpapers: (1) Uniformity of
calculations can make it easier to compare data against an appropriate benchmark 7. Content format (2) Ease of storage (3) Searchability and automated
such as prior periods, expected results, or other entities (industry analysis). cross-indexing (4) Backup and recovery functions (5) Built-in
1) Indexing. 2) Titles indicating the subject matter of the audit methodologies, such as sampling routines
Regression analysis determines the degree of relationship, if any, between two engagement. 3) Time of the engagement. 4) Scope of work,
variables, such as that between actual sales and actual cost of goods sold. The Purpose, Sources of information. 5) The population, sample 2) The use of electronic media involves security issues
degree of relationship can be used as a benchmark to test for reasonableness. size, and means of selection. 6) Analytical methods. 7) Results that do not arise when workpapers exist only on paper.
of tests and analyses. 8) Conclusions cross-referenced to
Multiple regression uses several variables to predict the dependent 3) Electronic workpapers and reviewer comments should
observations. 9) Recommended follow-up. Names of the internal
variable. It is useful in cases where using a single variable is too simplistic. be protected from unauthorized access and change.
auditor(s). 10) Review notation and name of the reviewer(s).

Summary of CIA Part 2 - Gleim 2023 Page 19 of 23 samehacc1@gmail.com

 1. The chief audit executive must control access to engagement records. The
1. Supervision at the Engagement Level
chief audit executive must obtain the approval of senior management and/or
legal counsel prior to releasing such records to external parties, as appropriate. 1) Engagements must be properly supervised (from planning to performance to reporting
results) to ensure objectives are achieved, quality is assured, and staff is developed.
2. Review of Workpapers
2) The extent of supervision required will depend on the proficiency and
1) The reviewer is required to sign and date the workpapers reviewed. 2) experience of internal auditors and the complexity of the engagement.
Written review notes record questions arising from the review and
3) Appropriate evidence of supervision is documented and retained.
responses by the staff auditor. 3) Adequate evidence that any questions
have been resolved, or confirmation that no questions arose, is required.
2. CAE
3. Control of Workpapers 1) His Supervision is relevant to all phases of the engagement.
1) The primary objective of maintaining security over workpapers is to ensure 2) Retains ultimate responsibility for the supervision of the engagement.
the integrity of the audit process. If workpapers, whether manual or However, supervision of an audit engagement may be delegated,
computerized, are lost, then the work done in the audit is effectively lost. Access
9.7 SUPERVISION 3) Is responsible for significant professional judgments.
to audit workpapers should therefore be limited only to necessary personnel.
4) Adopts suitable means to: (a) Minimize the risk of inconsistent professional
2) Unauthorized changes or removal of information would seriously judgments or other actions inconsistent with those of the CAE and (b) Resolve
compromise the integrity of the internal audit activity’s work. For this reason, differences in professional judgment between the CAE and staff members.
the chief audit executive must ensure that workpapers are kept secure.
3) Workpapers are the property of the organization.
3. Cooperative Relationships
9.5 WORKPAPERS -- REVIEW,
1) To ensure complete cooperation, senior management is responsible for
4. Access CONTROL, AND RETENTION notifying other departments of the existence of the internal audit activity.
1) When engagement objectives will not be compromised, the internal auditor may 2) Partnering with management at all levels is one of the best ways for internal
show all or part of the workpapers to the client. This may help explain the context auditors to obtain information.
of audit procedures to the client. For instance, the results of certain engagement
procedures may be shared with the client to encourage corrective action. 3) Fostering relationships with auditee employees provides another source of information.

2) One potential use of engagement workpapers is to provide support in

the organization’s pursuit of insurance claims, fraud cases, or lawsuits. SU9 : ANALYSIS, 4. Coordination during the Engagement
EVALUATION, 1) The auditor-in-charge should coordinate work assignments among audit team
5. Retention of Workpapers DOCUMENTATION, members during the engagement.
& SUPERVISION 2) Coordination during the engagement ensures that engagement objectives will
1) The CAE must develop retention requirements for engagement be met efficiently and effectively.
records, regardless of the medium in which each record is stored.
These retention requirements must be consistent with the organization’s
guidelines and any pertinent regulatory or other requirements. 5. Staff Performance Evaluations

2) The record retention policy should include appropriate arrangements for the 1) As part of the resource management process, a written appraisal of each
retention of records related to engagements performed by external service
9.6 DRAWING CONCLUSIONS
internal auditor’s performance is required at least annually.
providers. Workpapers should be destroyed after they have served their purpose.
2) At the conclusion of any major audit engagement, supervisory personnel should
complete performance appraisals for all audit staff who worked on the engagement.
Such appraisals help (1) the CAE to assess future training needs and current staff
1. Difference Between Findings and Opinions 2. Root Cause Analysis abilities and (2) staff to identify areas of personal strength and weakness.

Findings or Observations Opinions or Conclusions 1) To maximize the value of the internal audit to the entity in the form of
Findings are the evidence obtained. They refer to judgments made about actionable and effective recommendations to resolve adverse audit findings, the
They refer to relevant statements of responses to the findings or observations internal auditor should investigate and assess why the adverse findings occurred.
fact about the results of an internal documented, based on appropriate analyses
The purpose is to address the root cause(s) of the adverse findings.
audit procedure without interpretation and evaluations related to the entire scope
or commentary. of an engagement or its elements.
2) The identified root causes relate to several problems. Recommendations
Any auditors performing the audit Different auditors may draw different
procedures should document identical conclusions from the same set of
addressing the root causes will have greater and longer-lasting effects than
findings. observations or findings. recommendations that address only the immediate cause.
Objective nature Subjective nature

Summary of CIA Part 2 - Gleim 2023 Page 20 of 23 samehacc1@gmail.com

 1) Communication is key to the internal 1. Overview 1) Attributes
audit function’s mission to add value and
improve the organization’s operations. a) Criteria are the standards, measures, or expectations used in making an
1. After identifying, analyzing, evaluating, and
evaluation (the correct state). Criteria form a hypothesis.
2) The internal auditor needs to communicate documenting engagement information, the internal
with all parties, though the nature, content, auditor makes observations and forms conclusions about b) Condition (facts) is the factual evidence that the internal auditor found in the examination (the current
and timing of the communications may differ. the engagement objectives based on the information. state). The condition is what is actually observed, proving or disproving the hypothesis (audit findings).
3) Communication is required before, during, 2. Recommendations are based on observations/findings c) Cause is the reason for the difference between expected and actual conditions. A recommendation
and after the engagement. and conclusions and may be general or specific. They in a final engagement communication should address the cause attribute.
are made to enhance and protect organizational value. d) Effect is the risk or exposure the organization or others encounter because the condition
2. Preliminary Communication is not consistent with the criteria (the effect of the difference). It is what happened.
1) Implementation Guide 2200, Engagement
3. Attributes of Observations and Recommendations 2) Background information is generally provided in the final communication. Examples include: (a)
Planning, reinforces the importance of
Activities reviewed and the status of observations. (b) Recommendations from prior reports (can be
communication to the pre-engagement activity.
used as a follow-up source). (c) Conclusions. (d) Summaries of the communication’s content.
2) Internal auditors are required to communicate
10.2 OBSERVATIONS AND
the scope to management of the area under RECOMMENDATIONS a) Favorable observations should be short and simple.
review, giving management adequate lead time 3) Types of Observations For example, “Production schedules, levels, and quality
for preparation, to ensure availability of key were at or ahead of budgeted levels in every case.”
personnel early in the process. b) Unfavorable observations need further
SU10 : COMMUNICATING explanation to justify recommended changes.
3) Some information may be acquired by RESULTS AND MONITORING
sending a questionnaire or survey to the client 4) Conclusion: Is the result of an audit.
early in the audit process. The answers are PROGRESS
5) Observations and recommendations may include client accomplishments, related issues, and supportive information.
then discussed at the preliminary meeting.
6) Corrective action taken: If the organization has taken a suitable corrective action, then the observation should be closed.
4) This preliminary notice is omitted when the
engagement involves such activities as a
surprise cash count or procedures related to 1. Communication of engagement results to the client will be done by the chief audit executive or
suspected fraud. 10.1 COMMUNICATION 10.3 COMMUNICATING an appropriate delegate consistent with the policies and procedures of the internal audit function.
5) If the results of a preliminary survey and limited
WITH CLIENTS ENGAGEMENT RESULTS
2. Internal auditors need a clear understanding of engagement communication requirements, which
testing reveal no deficiencies, the IAA should send are often contained in the audit policies and procedures manual. A standard template may be used.
a memorandum communication to the client
summarizing the preliminary survey results and 3. Final communication of engagement results must include applicable conclusions, as well as applicable
indicating that the engagement has been canceled. recommendations and/or action plans. Where appropriate, the internal auditors’ opinion should be provided.
4. Interim Engagement Communication
4. An overall opinion on the engagement is not mandatory. An opinion should only be
3. Engagement Communications included when it is appropriate.
1) Conducting an engagement involves ongoing
1) The purpose of engagement communications is communication between the staff and management of 5. An opinion must take into account the expectations of senior management, the board, and
to (a) Inform (tell what was found), (b) Persuade both the internal auditors and the engagement client. other stakeholders and must be supported by sufficient, reliable, relevant, and useful information.
(convince management of the worth and validity of 2) This interim communication is a professional courtesy.
the audit findings), and (c) Get results (move Its purpose is to communicate items that should not 6. The Report Structure Includes:
management toward change and improvement). wait until the final report, such as; Information that
2) Engagement communications should meet the requires immediate attention. Any change in scope, or (1) Report title. (2) Objective (purpose). (3) Scope (coverage and the period covered, extent,
expectations, perceptions, and needs of both The progress of a long duration engagement. any limitations imposed, and exclusions). (4) Background. (5) Recognition (positive areas) &
operating management (emphasizing the details of Acknowledgment (the management cooperation). (6) Rating (ranking and outcome). (7) Results
3) Interim reporting can be any combination of oral, written,
operations) and senior management (providing (Conclusions & Observations “findings”): an executive summary followed by the detailed
formal, or informal, such as; a weekly progress report
appropriately generalized information regarding observations which include Title and reference, Critical rating, Facts supported by relevant data,
matters of significance to the organization as a whole). 4) Interim reports prepared by the internal audit staff Audit recommendations, and Management action plans. (9) Distribution list.
should be reviewed by the chief audit executive or other
3) A written engagement communication should be made supervisory personnel. 7. The internal auditor reaches agreement with the client about results and any necessary plan of
even if no issues were noted or all issues have been resolved. corrective action. Disagreements are fully disclosed, including both positions and the reasons.
5) Preliminary findings that are subject to change should
4) Internal auditors should be skilled in oral and written be clearly indicated. 8. Communication Criteria notes that accomplishments may be viewed in terms of
communications to clearly and effectively convey such
6) The use of interim reporting does not diminish or improvements since the last engagement or the establishment of a well-controlled operation.
matters as engagement objectives, preliminary surveys,
evaluations, conclusions, and recommendations. eliminate the need for a final report. 9. Final engagement reports are to be signed by the CAE or the authorized
internal auditor either manually or electronically in the report or on a cover letter.

Summary of CIA Part 2 - Gleim 2023 Page 21 of 23 samehacc1@gmail.com

 1. Communications must be: 5. Opinions 1) Engagement (micro-level) opinions are based on the results of a single engagement or a few engagements within a limited timeframe.
1) Accurate: free from errors and distortions. Use precise wording
2) In contrast, Overall (macro-level) opinions are based on the results of multiple engagements over a longer timeframe.
supported by evidence gathered during the engagement.
2) Objective: are fair, impartial, and unbiased. Require an 3) Overall opinions are a combined, higher-level opinion formed after the completion of multiple engagements.
unbiased mental attitude and use similarly unbiased language
that focuses on deficiencies in processes and their execution. 4) The overall opinion must be supported by sufficient, reliable, relevant, and useful information.

3) Concise: are to the point and avoid unnecessary elaboration. Exclude 5) An overall opinion may be based on aggregate engagement conclusions , along
information that is unnecessary, insignificant, or unrelated to the engagement. with results reported from outside entities (independent third parties or regulators).
4) Constructive: helpful to the engagement client. Reflect the severity of
6) The overall opinion will use clear, concise language and articulate how the
the observations while enabling a collaborative process for determining
opinion relates to the strategies, objectives, and risks of the organization
solutions that facilitate positive change within the organization.
5) Complete: lack nothing that is essential. Enable the reader to 7) The CAE decides whether to communicate the overall opinion verbally or in writing.
reach the same conclusion as the internal audit activity. The Standards are not violated by providing a verbal opinion to the board of directors.
6) Timely: opportune and expedient. Are submitted by
the deadlines established during the planning phase. 8) If the overall opinion is unfavorable, the reasons behind this conclusion must be explained.
10.4 COMMUNICATION
QUALITIES 9) A positive opinion (may be qualified) requires the auditor to have gathered sufficient evidence to be
2. Errors and Omissions: reasonably certain that any existing evidence that would undermine or refute the opinion is identified.
AND OVERALL OPINIONS
The CAE
1) Must communicate corrected information to all parties who received the original 10) Negative (or limited) assurance is a statement that nothing came to the auditor’s attention concerning the particular objective.
communication, if a final communication contains a significant error or omission.
2) Should understand the expectations of the board of directors and senior
management regarding errors and omissions they would consider significant. 1. Exit Conferences
3) Should consider whether the error or omission (significant) would change: (a) SU10 : COMMUNICATING 1) Internal auditors discuss observations, conclusions, and recommendations with engagement
The results of the engagement, (b) The view of others regarding the severity of RESULTS AND MONITORING clients and appropriate levels of management before the CAE issues the final communication.
the findings, (c) A conclusion, (d) An opinion, or (e) A recommended action.
PROGRESS
2) Internal auditors should lead the discussions.
4) Would first attempt to establish the cause of the error or omission in order to
prevent a similar situation reoccurring and to determine whether this needs to be
included in the communication to the board of directors and senior management. 3) A meeting agenda helps to structure the conference.
This process helps protect the integrity and status of the IAA.
4) Minutes of the conference should be taken and circulated after the meeting to
10.5 EXIT CONFERENCE AND reduce the chance of subsequent misunderstanding of the discussions held.
MANAGEMENT’S RESPONSE
3. Use of Statement “Conducted in
Conformance with ISPPIA” 5) The primary purpose of an exit conference is to present and validate audit
findings. Secondary purposes include (a) Improving relations with the engagement
client. (b) Discussing management’s actions and responses. (c) Obtaining feedback
1) Indicating that engagements are “conducted in conformance with the International on the effectiveness of internal auditing engagements.
Standards for the Professional Practice of Internal Auditing” is appropriate only if
supported by the results of the quality assurance and improvement program.
2. Management’s Review and Response

4. Requirement to Disclose Nonconformance 1) Reviews of communication drafts with engagement clients (management or
with Code of Ethics or Standards others) are a courtesy to them and reduce the chance of errors or misunderstanding.
2) Any prospect that the engagement client will be caught
1) When nonconformance with the Code of Ethics or the Standards impacts a specific engagement, unawares by the contents of the final report should be eliminated.
communication of the results must disclose the: (a) Principle(s) or rule(s) of conduct of the Code of Ethics
or Standard(s) with which full conformance was not achieved. (b) Reason(s) for nonconformance. (c) 3) Disagreements (should be noted in the final report) may still arise despite the opportunity
Impact of nonconformance on the engagement and the communicated engagement results. to review and discuss the engagement findings and the contents of the draft report.

2) Circumstances that may prevent internal auditors from conforming with the Code of 6) An exit meeting should be documented because The information may be needed if a
Ethics or the Standards include the impairment of independence and/or objectivity, scope dispute arises. Documentation of an exit meeting is NOT required by the Standards
limitation, lack of information, encountering unreliable data, or other constraints.

Summary of CIA Part 2 - Gleim 2023 Page 22 of 23 samehacc1@gmail.com

 1. Monitoring Progress
1. Disseminating Results 1) The CAE must establish and maintain a system to monitor
the disposition of results communicated to management.
1) The CAE (someone designated by the CAE) is
responsible for communicating the final results to parties 2) The IAA implements a system to track what is being done with
who can ensure that the results are given due consideration. regard to the engagement results requiring management responses.
2) When the CAE delegates these duties, he or she retains
overall responsibility. 2. Follow-up process

3) The CAE determines which communication format to use 1) The CAE must establish a follow-up process to monitor and ensure
for each recipient. The communication may be verbal or that management actions have been effectively implemented or that
written, and a full detailed report, or an executive summary. senior management has accepted the risk of not taking action.
4) The CAE may be directly involved in the preparation of 2) The CAE should assess whether management has adequately
the final report in smaller organizations, or will likely review addressed the issues requiring a response.
and approve communications prepared by a member of the
internal audit function in larger organizations. 3) The IAA’s responsibility to follow up on reported audit findings
should be defined in the internal audit charter.

10.6 APPROVE AND

2. Sensitive Information 3. Tools for Monitoring Progress & Follow-up Process
DISTRIBUTE REPORTS
1) Tools: (1) Simple (spreadsheets), (2) Moderate (collaborative
1) The auditors may possess critically sensitive and substantial SU10 : COMMUNICATING sharing software), (3) Sophisticated (employing functionality within
information with significant potential adverse consequences. The
auditors normally communicate it (through the IAA’s usual chain of
RESULTS AND MONITORING general audit software).
command) on a timely basis to senior management and the board. PROGRESS
2) The core requirement for the tool selected is that it captures the
relevant observations, agreed corrective action, and current status.
2) If the CAE concludes that senior management is exposing the
organization to unacceptable risk and is not taking appropriate
action, (s)he must discuss the matter with senior management, and
presents the information and differences of opinion to the board. 10.7 MONITOR ENGAGEMENT 4. Acceptance of Excessive Risk
OUTCOMES
3) Auditors may need to consider communicating outside the chain of
command or the organization (internal or external whistleblowing,
respectively), and to be aware of applicable laws and must obtain 1) If the CAE concludes that senior management is exposing the organization to
legal advice if uncertain of legal requirements or consequences. unacceptable risk and is not taking appropriate action, (s)he must discuss the matter with
senior management. If the issue remains unresolved, the CAE needs to escalate the
4) The auditor must make a professional decision about his or her issue to the board and to present the information and differences of opinion.
obligation to the employer, and to consider the duty of confidentiality.
2) The identification of risk accepted by management may be observed through an
assurance or consulting engagement, monitoring progress on actions taken by
management as a result of prior engagements, or other means. It is not the responsibility
3. Communications of the CAE to resolve the risk.
Outside the Organization
3) The CAE needs an understanding of the organization’s tolerance of various types of
risk. This understanding would be enhanced by referring to the organization’s formal risk
1. If not otherwise mandated by legal, statutory, or regulatory requirements, prior to management policy if it has one.
releasing results to parties outside the organization the CAE must: (a) Assess the
potential risk to the organization. (b) Consult with senior management and/or legal 4) Collaborative networking within the organization and keeping current with industry
counsel as appropriate. (c) Control dissemination by restricting the use of the results. trends and regulatory changes will assist the recognition of potential or emerging risks.

2) The CAE needs to carefully consider the consequences of 5) Risks types beyond the organization’s tolerance level include those that may: a) Harm
disseminating results outside the organization. the reputation or people, b) Result in significant regulatory fines, limitations on business
conduct, or other financial or contractual penalties, c) Material misstatements, d) Fraud or
other illegal acts, and e) Significant impediments to achieving strategic objectives.

Summary of CIA Part 2 - Gleim 2023 Page 23 of 23 samehacc1@gmail.com