Study Unit 1: Foundations of Internal Auditing

Subunit 1: Applicable Guidance

The Core Principles for the Professional Practice of Internal Auditing are:
(1) Demonstrates integrity,
(2) Demonstrates competence and due professional care,
(3) Objective and free from undue influence (independent),
(4) Aligns with the strategies, objectives, and risks of the organization,
(5) Appropriately positioned and adequately resourced,
(6) Demonstrates quality and continuous improvement,
(7) Communicates effectively,
(8) Provides risk-based assurance,
(9) Insightful, proactive, and future-focused,
(10) Promotes organizational improvement.
Short Form to Memorize:
1- Integrity
2- Competency & Due Professional Care.
3- Independent and Objective.
4- Strategies, Objectives and Risks.
5- Positioned and Resourced.
6- Quality & Continuous Improvement.
7- Communicated.
8- Risk-Based Assurance.
9- Insightful, proactive, and Future-Focused.
10- Promote Improvement.

The IIA provides the following Purposes of The Standards:

1. Guide adherence with the mandatory elements of the IPPF.
2. Provide a framework for performing and promoting a broad range of value-added internal audit
activities.
3. Establish the basis for evaluating internal auditing performance.
4. Foster improved organizational processes and operations.

The IIA Glossary defines consulting services as “advisory and related client service activities that
are intended to add value and improve an organization’s governance, risk management, and control
processes without the internal auditor assuming management responsibility.”
Generally, two parties are participants in consulting services:
(1) the internal auditor (the advisor) and (2) the engagement client (the advisee)
Three parties are involved in an assurance engagement. They are the Process Owner (the party
directly involved with the process or system), the Internal Auditor (the assessor), and The User of The
Assessment. For an assurance service, the internal audit activity determines the nature and scope of the
engagement and objectively assesses the evidence gathered.

The nature and scope of an assurance engagement are determined by the Internal Auditor.
However, the nature and scope of the consulting engagement are subject to agreement with the
engagement client.
The mandatory guidance portion of the IPPF consists of the Core Principles:
1. Definition of Internal Auditing
2. The Code of Ethics
3. Attribute Standards
4. Performance Standards
5. Implementation Standards. (Provides requirements applicable to assurance engagements)
Implementation Standards expand upon the Attribute and Performance Standards. They provide
requirements applicable to assurance or consulting engagements.

• Attribute Standards describe the characteristics of organizations and parties providing internal
auditing services.
• Performance Standards describe the nature of internal auditing and provide quality criteria for
evaluation of internal audit performance.
• Implementation Standards apply to specific types of engagements.

Assurance services involve the internal auditor’s objective assessment of evidence to provide
opinions or conclusions regarding an entity, operation, function, process, system, or other subject
matter.
Example of Assurance Services: The board is in the due diligence phase of a new company
acquisition. The CFO has asked for the internal auditor’s opinion of the new company’s debt
structure.
- Training would be considered a consulting service.
- Engagement to review and recommend improvements is a consulting service.
- Facilitation services are consulting engagements in which the “auditor guides management in
identifying organizational strengths and opportunities for improvement.

Objectivity It is the responsibility of management to eliminate risk management processes that are
inadequate and ineffective. It is the responsibility of the internal auditor to evaluate whether risk
management processes are effective. The internal audit function is effective if all core principles are
present and operating effectively.
Subunit 2: Codes of Ethical Conduct for Professionals

• Performance of professional duties in accordance with relevant laws (Observe law) (Integrity)
• Establishment of trust (Integrity)
• Respect and contribute to the legitimate and ethical objectives of the organization. (Integrity)
• Perform their work with honesty, diligence, and responsibility (Integrity)
• Disclose all revenues and sales taxes collected to the state’s taxation department. (Integrity)
• Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the
profession of internal auditing or to the organization (Integrity)

• Refraining from using confidential information for unethical or illegal advantage

(Confidentiality)
• Be prudent in the use and protection of the information acquired in their duties.
(Confidentiality)
• Avoidance of conflict of interest (Objectivity).
• Not accept anything that may impair or be presumed to impair their professional judgment.
(Objectivity).
• Disclose all material facts known to him or her that, if not disclosed, might distort the reporting
of activities under review (Objectivity)

• Maintenance of an appropriate level of professional expertise (Competency)

• Perform internal audit services in accordance with the International Standards for the Professional
Practice of Internal Auditing (Competency)
• Engage only in those services for which they have the necessary knowledge, skills, and
experience. (Competency)

The code of ethical conduct for financial managers or management accountants in an organization
should require Objectivity in presenting information, preparing reports, and making analyses (Not
subjectivity)
The primary purpose of a code of ethical behavior for a professional organization is to promote an
ethical culture among professionals who serve others.

An organization’s code of ethical conduct:

• Establishes general value system the organization wishes to apply to its members’ activities.
• Communicates organizational acceptable values and beliefs.
• Establishes uniform ethical guidelines for members.
• Establishes high standards against which individuals can measure their own performance.
• Communicates to those outside the organization the value system from which its members must
not be asked to deviate.
• Provides a method of policing and disciplining members for violations.
Provisions for disciplinary action in the event of violations (Penalties) would enhance the
effectiveness of the code of conducts in case some employees still not welling to adhere to it.

“The code of ethics of a professional organization sets forth Broad Standards of Conduct For The
Members Of The Organization”

Subunit 3: Internal Audit Ethics -- Introduction and Principles

A measure of the cohesion ‫ التماسك‬and professionalism of an organization is the degree of voluntary

compliance with its adopted code of ethics. (The degree of voluntary compliance with an organization’s
adopted code of ethics is a measure of the cohesion and professionalism of a Company)
If a particular conduct is not mentioned in the Rules of Conduct it does not prevent it from being
unacceptable or discreditable. Consequently, a reasonable inference is that individual judgment is
necessary in the application of the principles and the Rules of Conduct by the internal auditor.

The IIA’s Code of Ethics extends beyond the definition of internal auditing to include two
essential components:
(1) Principles for the profession and practice of internal auditing.
(2) Conduct that describe behavior norms expected of internal auditors (Introduction).

Subunit 4: Internal Audit Ethics -- Integrity

An internal auditor must:
(1) Not knowingly be a party to any illegal activity.
(2) Disclose all material facts known to him or her that, if not disclosed, might distort the reporting of
activities under review
(3) Respect and contribute to the legitimate and ethical objectives of the organization
Thus, when apparent violations of antitrust statutes by officers come to the internal auditor’s attention,
(s)he should report to the board of directors rather than directly to the government regulators. An
internal auditor also must observe the law and make any disclosures required by the law or by the
profession (Rule of Conduct 1.2).

Rule of Conduct 1.1 under the integrity principle states “Internal auditors shall perform their work with
honesty, diligence, and responsibility.”

If internal Auditor hide information about illegal act or polluting environment, it is considered violation of
the Code of Ethics under integrity principle by knowingly becoming a party to an illegal act, NOT
by failing to protect the well-being of the general public as he does not impose a duty to the general
public.
CASE of violation of Code of Ethics principle of integrity:

The internal audit manager is required to file work performance reports every morning. The manager
continually comes in late and leaves work early. One of the manager’s direct reports stays late every night
to complete the performance reports on behalf of the manager.

The internal audit manager is not taking responsibility for the position or respecting the employee who is
having to carry the workload. The manager has violated the principle of integrity.

Subunit 5: Internal Audit Ethics – Objectivity

The following concurrent occupations could appear to subvert ‫ تدمر‬the ethical behavior of an
internal auditor:

Internal auditor and part-time business insurance broker.

Rule of Conduct 2.1 under the objectivity principle states, “Internal auditors shall not participate in any
activity or relationship that may impair or be presumed to impair their unbiased assessment. This
participation includes those activities or relationships that may be in conflict with the interests of the
organization.”

Under Rule of Conduct 2.2, “Internal auditors shall not accept anything that may impair or be presumed
to impair their professional judgment.”

As a business insurance broker, the internal auditor may lose his or her objectivity because (s)he might
benefit from a change in the employer’s insurance coverage.

Rule of Conduct 2.3 under the objectivity principle states, “Internal auditors shall disclose all material
facts known to them that, if not disclosed, may distort the reporting of activities under review.”

The internal auditors are expected to not be unduly influenced by their own interests in forming
judgments.

Internal auditors must make conclusions based on facts without being influenced by feeling, emotions,
relationships, bribes, or any other outside influence.

The following activities will most likely adversely affect internal auditors’ ethical behavior:

• Serving as a consultant to suppliers might create a conflict of interest.

• Serving as a consultant to competitors might create a conflict of interest.
• Discussing engagement plans or results with external parties.

Accepting compensation from professional organizations for consulting work does NOT adversely
affect internal auditor’s ethical behavior because Professional organizations are unlikely to be
employees, clients, customers, suppliers, or business associates of the organization. Thus, the consulting
fees are not likely to impair or be presumed to impair the internal auditors’ professional judgment (Rule of
Conduct 2.2). Moreover, relationships with professional organizations are not likely to create a conflict of
interest or impair or be presumed to impair internal auditors’ unbiased judgment (Rule of Conduct 2.1).
Also, the consulting engagement should not result in the improper use of information (Rule of Conduct
3.2).

The (CAE) became aware of a material misstatement of the year-end accounts receivable balance. The
external auditors have completed their engagement without detecting the misstatement. The CAE
should Inform the external auditors of the misstatement.

“the CAE should share information and coordinate activities with the external auditors (Perf. Std. 2050).”
The internal auditor should inform the appropriate authorities in the organization if the indicators of
the commission of a fraud are sufficient to recommend an investigation. Thus, the internal auditor
has a duty to act even though the available facts do not prove that an irregularity has occurred.

Turning a case over to the security department is acceptable if the internal auditor is careful not to
state any final conclusions that are not supported by factual information.

Having a material ownership interest in a competitor is more likely to cause a conflict for a director
or officer than an internal auditor (Not violating Code of Ethics). An internal auditor would seldom be
able during the course of his or her employment to take action that would enhance the value of the
ownership interest.

Inform the employee that you will attempt to keep the source of the information confidential and
will look into the matter further is allowed and ethical behavior by the internal auditor. Promising
merely to attempt to keep the source of the information confidential is allowable. This promise is not a
guarantee of confidentiality.
(Assure the employee that you can maintain her anonymity and listen to the information is NOT
ethical).

Subunit 6: Internal Audit Ethics – Confidentiality

An example of conflict of interest is if the internal auditor used confidential information to seize a
business opportunity that rightfully belonged to the organization.

Rule of Conduct 3.1 under the confidentiality principle states, “Internal auditors shall be prudent in the
use and protection of information acquired in the course of their duties.” Rule of Conduct 3.2 states,
“Internal auditors shall not use information for any personal gain or in any manner that would be
contrary ‫ يخالف‬to the law or detrimental to the legitimate ‫ مشروعة‬and ethical objectives of the
organization.”

Discussion of sensitive matters with an unauthorized party is the situation most likely to be
considered a Code violation. (The CAE discusses the detail of the observations and the proposed
recommendations of a sensitive area with a fellow CAE from another organization is considered a
violation of code of ethics and standards).
Rule of Conduct 3.2 under the confidentiality principle states, “Internal auditors shall not use information
for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate
and ethical objectives of the organization.”

▪ contrary to the law ‫تتعارض مع القانون‬

▪ detrimental to the legitimate and ethical objectives. ‫تضر باالهداف الشرعيه واالخالقية‬

Deleting sensitive information from a final engagement communication at the request of senior
management is not considered a violation of ethics, if senior management permits the omission, the
internal auditor is not guilty of failing to disclose material facts.

The principle of confidentiality permits the disclosure of the company’s information when given
the appropriate authority and does not violate the principle of confidentiality such as a loan officer
requesting the financial statement for the last 2 years.

Subunit 7: Internal Audit Ethics – Competency

Rule of Conduct 4.2 under the competency principle states, “Internal auditors shall perform internal
audit services in accordance with the International Standards for the Professional Practice of
Internal Auditing.”

The Code of ethics does not specifically mention compliance with organizational policy.

The Standards. Attr. Std. 1200 requires engagements to be performed with proficiency and due
professional care. They also should be properly supervised to ensure that objectives are achieved,
quality is assured, and staff is developed (Perf. Std. 2340). Which means it is OK that not all audit
staff to be proficient in all audit areas, however they will need a proper supervision.

Rule of Conduct 4.3 under the competency principle states, “Internal auditors shall continually improve
their proficiency and the effectiveness and quality of their services. (not engaged in continuing
professional education or other activities to improve effectiveness during the last 3 years is considered a
violation of proficiency principle.)

Internal auditors must identify sufficient, reliable, relevant, and useful information to achieve
engagement’s objectives (Perf. Std. 2310).

▪ Failing to report the violation of organizational policy is contrary to the Standards.

▪ Failing to communicate engagement results is contrary to The IIA’s Code of Ethics.

Rule of Conduct 4.1 under the competency principle states, “Internal auditors shall engage only in
those services for which they have the necessary knowledge, skills, and experience.” Internal
auditors may not have, and are not expected to have, knowledge equivalent to that of a person whose
primary responsibility is to detect and investigate fraud (Impl. Std. 1210.A2).
The Internal Auditing Activity shall continually improve their proficiency and the effectiveness and quality
of their services. The deferral of completing continued education, even though approved by the
board, violates The IIA’s Code of Ethics Rule of Conduct for competency.

Subunit 8: Internal Audit Charter

The purpose, authority, and responsibility of the internal audit activity must be formally defined in an
internal audit charter.

One reason for staff meetings is to explain routine administrative matters, to teach new techniques,
and even to let off steam. For example, staff members should be able to raise questions about
ineffective procedures, promotions, salaries, or other problems.

The charter establishes the internal audit activity’s position within the organization, including the
nature of the chief audit executive’s functional reporting relationship with the board; authorizes
access to records, personnel, and physical properties relevant to the performance of engagements;
and defines the scope of internal audit activities (Inter. Std. 1000). Thus, the charter prescribes the
internal audit activity’s relationships with other units within the organization and with those outside.

The length of tenure ‫ فتره‬of the chief audit executive should NOT be included in the internal audit
charter.

The nature of consulting services MUST be defined in the internal audit charter (Impl. Std. 1000.C1).

Authorization of the board to approve the charter is NOT required to be mentioned in the Internal
Audit Charter. The board has this power inherently.

Engagement clients do NOT authorize the internal auditor’s activity but must be informed of the
internal auditor’s authority. The internal audit charter authorizes access to records, personnel, and
physical properties relevant to the performance of engagements. Final approval of the internal audit
charter resides with the board.

The core values, mission, and vision statements of the organization are NOT included in the internal
audit charter.
Unit 2: Independence, Objectivity, Proficiency, Care, and Quality
Subunit 1: Independence of the Internal Audit Activity

Independence is “the freedom from conditions that threaten the ability of the internal audit activity to
carry out internal audit responsibilities in an unbiased manner” (The IIA Glossary).

Organizational independence is effectively achieved when the CAE reports functionally to the board.
Examples of functional reporting to the board involve the board

• Approving the internal audit charter

• Approving the risk-based internal audit plan

• Receiving communications from the CAE on the internal audit activity’s performance

• Approving decisions regarding the appointment and removal of the CAE

• Making appropriate inquiries of management and the CAE to determine whether there are
inappropriate scope or resource limitations.

The organizational status most conducive to this degree of independence is a dual-reporting relationship.

Objectivity is an individual attribute of each internal auditor. Objectivity requires that internal auditors do
not subordinate their judgment on audit matters to others.

The organizational level to which the internal audit activity reports must be sufficient to permit the
accomplishment of the activity’s responsibilities.

A formal document (charter) approved by the board that defines the internal audit activity’s purpose,
authority, and responsibility enhances its independence.

The CEO’s statement suggests that the internal audit activity lacks the support of senior management
and the board. Furthermore, the lack of outside audit committee members may contribute to a loss
of independence. The board’s failure to approve the charter may have the same effect.

The charter enhances the independence of the internal audit activity. By specifying the purpose, authority,
and responsibility of the internal audit activity, it establishes the position of internal audit in the
organization, including the nature of the chief audit executive’s functional reporting relationship with the
board
At times, an internal auditor may be asked by the engagement client or other parties to explain why
a document that has been requested is relevant to an engagement. Disclosure or nondisclosure during
the engagement of the reasons of documents are needed should be determined based on the
circumstances. Significant irregularities may dictate a less open environment than would normally
contribute to a cooperative engagement. However, that is a judgment that should be made by the chief
audit executive in light of the specific circumstances. Moreover, the internal audit activity must be
free from interference in determining the scope of internal auditing, performing work, and communicating
results

If the engagement client asked for the reasons to request specific documentation, The internal auditor’s
proper response is to Consider the specific circumstances before deciding whether to disclose the reasons
for the information request.

Subunit 2: Objectivity of Internal Auditors

Objectivity is “an unbiased mental attitude that allows internal auditors to perform engagements in such
a manner that they believe in their work product and that no quality compromises are made. Objectivity
requires that internal auditors do not subordinate their judgment on audit matters to others”

The CAE must establish policies and procedures to assess the objectivity of individual internal auditors.

Management has requested the internal audit activity to perform an engagement to recommend
procedures and policies for improving management control, the CAE should accept the
engagement. Recommending standards of control for systems or reviewing procedures prior to
implementation does not create a conflict of interest and impair objectivity.

The CAE is required to Assess the objectivity of internal auditors, but the CAE and internal auditors
themselves is required to Maintain their objectivity.

Conflict of Interest:

• Conflict of interest is a situation in which an internal auditor, who is in a position of trust, has a
competing professional or personal interest. Such competing interests can make it difficult to
fulfill his or her duties impartially.

• A conflict of interest exists even if no unethical or improper act results.

• A conflict of interest can create an appearance of impropriety that can undermine confidence in
the internal auditor, the internal audit activity, and the profession.

• A conflict of interest could impair an individual’s ability to perform his or her duties and
responsibilities objectively.”
Subunit 3: Impairment to Independence and Objectivity
Any scope limitation faces the internal auditor, along with its potential effect, needs to be communicated
to the board at first.

Internal auditors may provide consulting services relating to operations for which they had previous
responsibilities

Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for
which the internal auditor had responsibility within the previous year.

An appropriate internal auditing role in a feasibility study is to Ascertain if the feasibility study addresses
cost-benefit relationships. (Assessing the adequacy of a feasibility study is properly within the scope of
work of internal audit).

An internal auditor most likely will have a conflict of interest by providing an assurance service with regard
to a Purchasing activity if a major supplier is owned by the internal auditor’s sister-in-law (Relative).

Internal auditors are not to accept fees, gifts, or entertainment from an employee, client, customer,
supplier, or business associate that may create the appearance that the auditor’s objectivity has been
impaired. The status of engagements is not to be considered as justification for receiving fees, gifts, or
entertainment. Internal auditors are to report immediately the offer of all material fees or gifts to
their supervisors.

The chief audit executive may be asked to take on additional roles and responsibilities outside of internal
auditing, such as responsibility for compliance or risk management activities. These roles and
responsibilities may impair, or appear to impair, the organizational independence of the internal audit
activity or the individual objectivity of the internal auditor.

Safeguards are those oversight activities, often undertaken by the board, to address these potential
impairments, and may include such activities as periodically evaluating reporting lines and
responsibilities and developing alternative processes to obtain assurance related to the areas of
additional responsibility. The potential impairments exist because the chief audit executive is expected
to take responsibilities that fall outside of internal auditing. Accordingly, increasing the budget for the
internal audit activity CAN NOT (Least Likely) provide the necessary safeguards.

To Safeguard the Internal Audit in such situation, the following are possible actions:

• The board evaluates roles and responsibilities undertaken by the CAE and the controls in place to
address risks related to the undertaking.

• Outsourcing to an independent assurance services provider oversight of the performance of the new
duties by the CAE.

• The CAE discusses the potential impairments with the board and seeks approval to report functionally
to the board.
Designing, installing, or drafting procedures for information systems impairs the objectivity of
internal auditors. Such services may create a conflict of interest, a situation in which internal auditors
have a competing professional or personal interest. This may create an appearance of impropriety
that undermines confidence in the internal audit activity.

Continuation on an engagement at a division for which he will soon be responsible as the result of a
promotion is most likely impair the objectivity of the internal auditor.

The preparation of the engagement work program offers significant opportunities for bias;
therefore, it can not be done by an internal auditor who used to work for the client engagement, he should
suggest that the engagement be performed by another member of the internal audit staff.

The CAE may assume responsibilities in risk management, provided that safeguards are in place
to address the risks of impairments to independence or objectivity.

Organizational independence is effectively achieved when the CAE reports functionally to the board (Inter.
Attr. Std. 1110). Failing to report fully about the reason for corrective action may imply bias (a loss
of objectivity) with regard to the audit client.

Persons transferred to, or temporarily engaged by, the internal audit activity should NOT be assigned to
audit activities they previously performed until at least 1 year has elapsed. Such assignments are
presumed to impair objectivity.

Objectivity is presumed to be impaired if the internal audit activity designs, installs, or drafts
procedures or systems for which they also evaluate. Accordingly, the internal audit activity’s
responsibilities should NOT include designing and implementing controls.

The CAE’s objectivity could be impaired by the bonus, if the annual bonus is based on monetary
amounts recovered or recommended future savings as a result of engagements.

Which of the following is most likely to address )‫ (من المرجح أن يعالج‬the risks of potential impairments of
independence or objectivity when the chief audit executive (CAE) undertakes major responsibilities in the
compliance department? Address the issue: ‫ يعالج‬to treat

The CAE seeks approval to report functionally to the board.

Subunit 4: Auditor Proficiency
Internal auditors must have sufficient knowledge of

(1) Key information technology risks and controls.

(2) Available technology-based audit techniques to perform their assigned work. But not all internal
auditors are expected to have the expertise of an internal auditor whose primary responsibility is
information technology auditing.

• The ability to conduct training sessions in specific areas is NOT among the required
competencies.

• the success of an internal auditor will depend, in part, on the auditor’s ability to organize and express
thoughts well.

• The internal audit activity collectively must possess or obtain the knowledge, skills, and other
competencies needed to perform its responsibilities, it includes consideration of current
activities, trends, and emerging issues as a basis for relevant advice and recommendations.

• The auditors in this situation do not have such expertise. Thus, planning and executing the audit
engagement without the appropriate background and skills is a violation of this standard.

• Determining the hours needed to complete the engagement is NOT necessary during the
selection of the audit team. This question should be answered during the budgeting phase of
planning for the engagement.

Subunit 5: Internal Audit Resources

External service providers are used when the internal audit staff does not have the necessary knowledge,
skills, and competencies to fulfill the responsibilities of the internal audit activity.

The following would be permissible when outsourcing internal audit functions:

• Partial or total external sourcing on an ongoing basis is an outsourcing alternative.

• Co-sourcing with external service providers for a specific engagement.
• Outsourcing when internal auditors lack the knowledge or skills needed to perform all or part of the
engagement.

However, oversight of and responsibility for the internal audit activity must NOT be outsourced.

Conducting periodic skills assessments to make sure each member of the internal audit activity is
qualified in all disciplines is not appropriate way to ensure that internal audit activity is able to fulfil its
responsibilities (The internal audit as a whole, not each auditor individually, must be proficient in all
necessary competencies)
An external service provider associated with the engagement client is unacceptable because the
person would not be independent or objective.

In a large organization, outsourcing would have advantage because of Structure. It may more easily
accommodate engagement requirements in distant locations.

Use of external service providers with expertise in healthcare benefits is appropriate when the internal
audit activity is:
• Is appropriate when comparing healthcare costs with those of other programs and training staff to
conduct healthcare audits.
• Is appropriate when comparing healthcare costs with those of other programs and evaluating the
estimated liability for postretirement benefits.
• Is appropriate when comparing the cost of the organization’s healthcare program with other
programs offered in the industry.

Requiring certain professional certifications could limit the range of services offered by the internal
audit activity. Each member of the internal audit activity need not be qualified in all disciplines. The
internal audit activity should have an appropriate balance of experience, training, and skills to permit
the performance of a wide range of services.

The main purpose of conducting staff performance appraisals at the end of any major internal audit
engagement is to Assess future training needs and current staff abilities.

The least useful application in having a reasonable assurance that the internal auditors are qualified in
doing their work is to determining that all applicants have an accounting degree, the internal audit activity
collectively must possess or obtain the knowledge, skills, and other competencies needed to
perform its responsibilities. however, NOT all auditors need to be qualified in all disciplines.

Subunit 6: Due Professional Care and Continuing Professional Development

During a consulting engagement, an internal auditor should exercise due professional care by
considering which of the following?

(1) Needs and expectations of engagement clients.

(2) Relative complexity and extent of work needed.
(3) Cost of the consulting engagement.

Due professional care implies reasonable care and competence, not infallibility or extraordinary
performance. Thus, due professional care requires the internal auditor to conduct examinations and
verifications to a reasonable extent.

Accordingly, internal auditors cannot give absolute assurance that noncompliance or irregularities do not
exist. Nevertheless, the possibility of material irregularities or noncompliance needs to be
considered whenever the internal auditor undertakes an internal auditing assignment. Thus,
considering the possibility of nonconformance or material irregularities at all times during an
engagement is the only way of demonstrating that due professional care has been taken in an
internal audit assignment.

Internal auditors must exercise due professional care by considering the:

• Extent of work needed to achieve the engagement’s objectives

• Relative complexity, materiality, or significance of matters to which assurance procedures are applied
• Adequacy and effectiveness of governance, risk management, and control processes
• Probability of significant errors, fraud, or noncompliance
• Cost of assurance in relation to potential benefits

Perform assurance procedures with due professional care so that all significant risks are identified is
wrong statement, because even when performed with due professional care, do NOT guarantee that
ALL significant risks will be identified.

Practicing and nonpracticing CIAs must complete 40 hours and 20 hours, respectively, of CPE
annually, including at least 2 hours of ethics training.

Internal auditors who fail to maintain their proficiency through continuing education could be found to be
in violation of Both the International Standards for the Professional Practice of Internal Auditing and The
IIA’s Code of Ethics.

Due professional care implies reasonable care and competence, not infallibility or extraordinary
performance. It requires the internal auditor to conduct examinations and verifications to a reasonable
extent. (The conduct of extensive examinations is NOT required).

Performing internal audit engagements as a CAE does NOT qualify as CPE.

The following is qualifying activity for CPE:

• Performing external quality assessments.

• Delivering oral presentations.
• Participating as a subject matter expert volunteer.

Engagement effort may be required for a quantitatively immaterial item if adverse effects are likely
to occur, for example, a material contingent liability arising from an illegal payment that is otherwise
immaterial.

An exhaustive review of petty cash is not an efficient and effective use of limited internal audit
resources because it will not prevent or detect significant fraud. The amount of any theft of petty cash
will not be substantial.

An engagement communication should never be viewed as providing an infallible truth about a subject.
Accordingly, internal auditors cannot give absolute assurance that noncompliance or irregularities do not
exist.
• Prior approval by The IIA is NOT necessary for CPE courses.
• Attendance, as an officer or committee member, at formal IIA meetings meets the criteria of CPE.
• Practicing certified internal auditors are required to obtain 40 hours of CPE annually.
• CIAs have formal requirements that must be met in order to continue as CIAs.

The Internal Audit Competency Framework consists of ten core competencies, listed below:
(Technical Expertise)

1. Professional ethics: Promotes and applies professional ethics.

2. Internal audit management: Develops and manages the internal audit function.
3. IPPF: Applies the International Professional Practices Framework (IPPF).
4. Governance, risk and control: Applies a thorough understanding of governance, risk and control
appropriate to the organization.
5. Business acumen: Maintains expertise of the business environment, industry practices and specific
organizational factors.
6. Communication: Communicates with impact.
7. Persuasion and collaboration: Persuade and motivates others through collaboration and
cooperation.
8. Critical thinking: Applies process analysis, business intelligence and problem-solving techniques.
9. Internal audit delivery: Delivers internal audit engagements.
10. Improvement and innovation: Embraces change and drives improvement and innovation.

The emphasis of internal auditors’ technical expertise is on:

(1) The IPPF

(2) Governance, risk, and control
(3) Experience in business acumen ‫ذكاء األعمال‬

Internal auditors are competent regarding business acumen when they maintain expertise related to
(1) the business environment, (2) industry practices, and (3) specific organizational factors.

The most appropriate preventive measure for staff communication problems with engagement clients
is to provide staff with sufficient training to enhance communication skills.
Subunit 7: Quality Assurance and Improvement Program (QAIP)

Feedback, Feedforward

The following are designed to provide feedback on the effectiveness of an internal audit activity:

1. Proper Supervision
2. Internal reviews (Ongoing reviews).
3. External reviews (External Assessment).

Proper Training is designed to provide feedforward, NOT feedback.

The (CAE) must develop and maintain a quality assurance and improvement program that covers
all aspects of the internal audit activity.

What are the elements of the assessment of a QAIP?

• Contribution to organization’s governance processes, risk management and Controls process.

• Adequacy of the internal audit activity’s charter.
• Conformance with the Standards and Code of Ethics.

Oversight of the work of external auditors, including coordination with the internal audit activity,
is the responsibility of the Board.
It is NOT within the scope of the process for monitoring and assessing the QAIP.

Appraising each internal auditor’s work at least annually is a function of the human resources
program of the internal audit activity NOT an element of QAIP.

Internal assessments consist of ongoing monitoring and periodic self-assessments, which evaluate
the internal audit activity’s:

• Conformance with the mandatory elements of the IPPF.

• The quality and supervision of audit work performed.
• The adequacy of internal audit policies and procedures.
• The value added to the organization
• The establishment and achievement of key performance indicators (KPI).

External assessments provide an opportunity for an independent assessment team to identify areas
for improvement for the internal audit activity.
Deming Cycle (Plan, Do, Check, and Act.)

Plan, Do, Check, and Act are the four key steps of the Deming Cycle that operate in an interactive
manner. The Deming Cycle can be used to establish an organization’s quality assurance and
improvement program (QAIP) in a planned and methodological manner.

The steps are:

(1) Plan, establish standards and expectations for operating a process to meet goals.
(2) Do, execute the process and collect data for further analysis in the latter steps.
(3) Check, compare actual results with expected results and analyze the difference.
(4) Act, provide feedback by identifying and implementing improvements to the process.

Formally documenting standards and expected practices (Plan)

Developing activities to define quality and build staff awareness of standards and expectations (Do)
Assessing and reviewing product or process quality. (Check)
Undertaking improvement initiatives and documenting lessons learned. (Act)

The CAE should examine departmental procedures and the conduct of the specific engagement
mentioned to ascertain that proper planning and quality assurance procedures are in place and are
being followed.

A self-assessment may be performed in lieu of a full external assessment, provided it is validated by

a qualified, independent, competent, and professional external assessor.
(The self-assessment may be performed When the self-assessment has been validated by a qualified,
independent, competent, and professional external assessor)

The CAE is responsible for ensuring that the internal audit activity conducts an external assessment at
least once every five years.
Subunit 8: Internal and External Assessments

The broad scope of coverage of the external assessment of internal audit activity is include the
following:

• Adherence to the internal audit activity’s charter.

• Conformance with the Standards and code of ethics.
• The efficiency and effectiveness of the internal audit activity, including the internal auditor’s
knowledge, experience, and expertise.
• The expectations of the internal audit activity expressed by the board, senior management, and
operational managers

The external assessment should consist of a broad scope of coverage that includes:
(1) Conformance with the Definition of Internal Auditing, Standards, Code of Ethics and the
charter, plans, policies, procedures, practices, and applicable legislative and regulatory
requirements.
(2) Expectations of the IAA expressed by the board, executive management and operational
managers
(3) Integration of the IAA into the organization’s governance process, including the relationships
between the key groups involved in the process.
(4) Tools and techniques employed by the IAA
(5) The mix of knowledge, experience, and disciplines within the staff, including staff focus on
process improvement.
(6) If the IAA adds value and improves the organization’s operations.
A detailed cost-benefit analysis of the IAA would NOT be part of the external assessment.

The interpretation related to quality assurance given by the Standards is that:

External assessments provide an independent and objective evaluation of the internal audit activity’s
compliance with the Standards and Code of Ethics.

The processes and tools used in Ongoing Internal Assessments include, among other things,
measures of project budgets, timekeeping systems, and audit plan completion. These may help to
determine whether the appropriate amount of time was spent on all parts of the engagement.

The following will be examined by the internal assessment team to evaluate the quality of engagement
planning and documentation for individual engagements:
• Measures of project budgets.
• Audit plan completion.
• Timekeeping systems.
Those conducting internal assessments generally should report to the CAE while performing the reviews
and communicate directly to the CAE.

External assessments of an internal audit activity contain an expressed opinion or conclusion on overall
conformance with the Standards and possibly an assessment for each standard or series of
standards. An external assessment also includes, as appropriate, recommendations (corrective action
plans) for improvement.

According to IIA guidance, external assessments must be conducted by a qualified, independent

assessor or assessment team from outside the organization (Attr. Std. 1312).
Company managers or members of the board therefore may NOT be members of the external
quality assessment team even if they are independent of the internal audit activity.

Adequate supervision is a fundamental element of Internal Assessments (NOT external assessment)

Subunit 9: Reporting on Quality Assurance

The conclusion by an assessor of the internal audit activity in accordance with a quality assurance
and improvement program (QAIP)

The external assessment report typically includes an assessment for each standard and an overall
assessment for each standard series (attribute and performance). These assessments are in addition
to the overall conformance results. A rating scale may be used to show the degree of conformance.

The CAE must communicate the results of the quality assurance and improvement program the
assessor’s conclusion in the disclosure to Senior Management and The Board.

Disclosure should include:

(1) The scope and frequency of both the internal and external assessments.
(2) The qualifications and independence of the assessor(s) or assessment team, including potential
conflicts of interest
(3) Conclusions of assessors.
(4) Corrective action plans.

During an external assessment, the assessor may provide recommendations to address:

(a) Areas that were not in conformance with the Standards.
(b) Opportunities for improvement.

The following would be appropriate outcomes of a quality assurance and improvement program in an
internal audit activity:

1. Modification of resources.
2. Corrections to procedures.
3. Changes in processes.
4. Implementation of new technology.
The CAE also may consider:

(1) Adding the recommendations and action plans to the internal audit activity’s existing
monitoring of progress related to internal audit engagement findings.
(2) Reporting on resolutions (Recommendations to address areas that were not in conformance
with the Standards).
(3) Verification that recommendations identified during the external assessment have been
implemented is communicated to the board either:
(a) As part of the internal audit activity’s monitoring of progress.
OR
(b) By following up separately through the next QAIP internal assessment.
(4) The CAE may provide action plans to address recommendations from the external assessment.
The results of External Assessment OR Periodic Internal Assessments are communicated upon
completion of such assessments.

The results of Ongoing Monitoring are communicated at least annually.

An internal audit activity must have an external assessment every 5 years.

Initial use of the conformance phrase requires the completion of an External Assessment within the
past 5 years.

Internal auditors may include in their audit report that their activities conform with The IIA Standards only
if it is supported by the results of the quality program (QAIP Program).

One scale consists of three ratings:

Generally conforms, partially conforms, and Does not conform.

1- An internal audit activity has a charter, policies, and processes, and their execution and results
conform with the Standards. (generally conforms).

2- Deficiencies in practice are judged to deviate from the Standards. But they do not preclude
the internal audit activity from performing its responsibilities. (partially conforms).

3- Deficiencies in practice are judged to be so significant as to seriously impair, or preclude, the

internal audit activity’s ability to perform adequately in all or in significant areas of its
responsibilities (Does not conform).

CAE recommend that the results of an external quality assessment be shared with the board to
provide accountability and transparency for the IAA’s operations.

* * *
Governance | Subunit 1: Governance Principles

Governance is the responsibility of the board.

Internal audit’s responsibility is to assess governance processes and make appropriate
recommendations for improvement.

Governance is concerned with optimizing organizational activities to achieve the organization’s

objectives. Thus, its primary purposes are to inform, direct, manage, and monitor “internal”
activities.

Influence government regulators are NOT a primary purpose of governance.

Summary of Governance Principles:

1- Independent and Objective board.
2- Understanding of Operating Structure by S Management and board.
3- A strategy to measure performance for all.
4- A structure to accomplish strategic objectives.
5- Governing Policy to operate key activities.
6- Enforced lines for responsibility and accountability.
7- Effective interaction between board, management and auditors.
8- Oversight by Management including strong controls.
9- Oversight of related parties’ transactions and conflict of interests
10- Compensation policies for senior management to encourage appropriate behavior.
11- Ethical culture and employees’ feedback without fear.
12- Effective use of Internal and External Auditors ensuring independence and effectiveness.
13- Risk management policies and processes definition and implementation.
14- Disclose key information for stakeholders.
15- Comparison of governance processes with best practices.

Governance has two major Components:

1) Strategic direction to determine:
1- The business model,
2- Overall objectives,
3- The approach to risk taking (Risk appetite)
4- The limits of organizational conduct.

2) Oversight is the governance component with which internal auditing is most concerned. It is also the
component to which risk management and control activities are most likely to be applied.

The elements of oversight are:

1- The performance of risk management activities by senior management and risk owners
2- Internal and external assurance activities (Internal and external Auditing)

“Regulations and ethics are NOT major components of governance”

Internal corporate governance functions:
- Board of directors
- Bylaws
- Corporate Charter
- Internal audit function
- Ethical Culture

External corporate governance functions:

- Laws
- Government regulations
“Ensuring effective organizational performance management and accountability is most directly the
proper function of governance”

Risk committee (created by the board) to do the following:

• Identifies key risks,
• Connects them to risk management processes,
• Delegates them to risk owners, and
• Considers whether tolerance levels are consistent with the organization’s risk appetite.

The internal audit activity periodically assesses the elements of the Ethical Climate of the
organization and its effectiveness in achieving legal and ethical compliance. Internal auditors
therefore evaluate the effectiveness of code of conduct and related Statements and Policies.

The internal audit activity evaluates the effectiveness of the following:

• Regular reviews of the ethical culture processes.
• The confidential reporting of alleged misconduct. ‫سوء السلوك المزعوم‬
• The personnel practices that encourage contributions by employees.
• The background checks.
• The declarations by suppliers about the requirements of ethical behavior

When evaluating a code of conduct, it is important to consider two items:

Comprehensiveness and Compliance.
The code should address the ethical issues that the employees are expected to encounter and
provide suitable guidance. The internal auditor also must consider the extent to which employees are
complying with the standards established.

Codes of conduct and the organization’s vision are issued to state:

• The organization’s values and objectives.
• The behavior expected.
• The strategies for maintaining a culture consistent with legal, ethical, and societal
responsibilities.
Performance Standard 2110 states, (BASIC Principle of Governance) “The internal audit activity
must assess and make appropriate recommendations to improve the organization’s governance
processes (Evaluate the process of Performance Management) for:

• Making strategic and operational decisions.

• Overseeing risk management and control.
• Promoting ethics and values within the organization.
• Ensuring effective organizational performance management and accountability (Most Likely).
• Communicating risk and control information to appropriate areas of the organization.
• Coordinating the activities of, and communicating information among, the board, external and
internal auditors, other assurance providers, and management.”

Thus, in an assurance engagement, the internal audit activity must evaluate the design,
implementation, and effectiveness of the organization’s ethics-related objectives, programs, and
activities.

Ethical Culture, bylaws, corporate charter and board of directors and internal audit function are
examples of Internal Corporate Governance, and laws, regulations, and the government regulators
who enforce them are examples of external governance.

The role of the internal audit activity depends on the Maturity of the Governance System.

- In a LESS mature system, the internal audit activity emphasizes compliance with policies,
procedures, laws, etc. and the Basic Risks to the organization. (Providing advice about
basic risks to the organization)
- In a MORE mature governance system, the internal audit activity’s emphasis is on optimizing
structure and practices (Consulting role). (Evaluating the effectiveness of specific
governance processes)

A less mature governance system will emphasize the requirements for compliance with policies,
procedures, plans, laws, regulations, and contracts. It will also address the basic risks to the
organization. Thus, the internal audit activity will provide advice about such matters. As the
governance process becomes more structured, the internal audit activity’s emphasis will shift to
optimizing the governance structure and practices maybe by playing a consulting role in optimizing
them.

Internal auditors impair their objectivity by designing processes. However, evaluating the design and
effectiveness of specific processes is a typical internal audit role.

Senior management are responsible to determine:

(1) Specific risks to be managed by the risk owners
(2) Who will be risk owners? (managers responsible for specific day-to-day risks)
(3) How specific risks will be managed.
(4) Establishes and maintains an organizational culture, including an ethical climate that fosters
control.
Risk owners are responsible for the following:
1. Evaluating the organization’s ability to carry out risk management activities as designed and the
adequacy of the design (Evaluate the RMA Design)
2. Determining whether risk management activities are operating as designed. (RMA Operated and
Implemented correctly)
3. Establishing monitoring activities. (Monitoring)
4. Ensuring that information to be reported to senior management and board is accurate, timely,
and available. (Timely and Accurately Reporting of Information)

What is Culture?
• According to the COSO Enterprise Risk Management framework, culture consists of the attitudes,
behaviors, and understanding about risk, both positive and negative that influence the
decisions of management and personnel and reflect the mission, vision, and core values of the
organization.
“A reflection of the organization’s mission and vision and consists of the attitudes, behaviors, and
understanding about risk”.

Organizational culture is reflected in measuring the following:

• Measuring Performance.
• Specifying accountability.
• Complying with corporate social responsibilities.

The board of directors has oversight responsibilities over risks and controls.
The board of directors is responsible for the following:
• Selecting and removing officers
• Making decisions about capital structure
• Adding, amending, or repealing bylaws
• Initiating fundamental changes
• Declaring and distributing dividends
• Setting management compensation
• Coordinating audit activities
• Evaluating and managing risks
(The board may be the head of the organization)
However, shareholders can elect or remove directors at the annual meeting.

The board of director’s primary responsibility regarding internal control is to identify stakeholders
and the outcomes that are unacceptable.
(The board acts on behalf of the entity’s stakeholders. Typically, the board discusses yearly
performance and expected outcomes at an annual shareholders’ meeting)

Internal auditors (NOT Senior Management) are responsible for the following:
• Evaluating the adequacy and effectiveness of controls.
• Review the reliability and integrity of financial and operational information.
Organizational performance is measured by achieving objectives. The IIA Glossary defines governance
as the combination of processes and structures implemented by the board to inform, direct,
manage, and monitor the activities of the organization toward the achievement of its objectives.
Thus, ensuring effective organizational performance management and accountability is most
directly the proper function of governance.

“Governance (not control) is directly responsible for ensuring effective organizational performance
management and accountability”

Governance practices ensure that the organization (Purpose of Governance Practices):

(1) Complies with society’s legal and regulatory rules.
(2) Satisfies the generally accepted business norms, ethical principles, and social expectations of
society.
(3) Provides overall benefit to society.
(4) Enhances the interests of the specific stakeholders in both the long- and short-term.
(5) Reports fully and truthfully to its stakeholders, including the public, to ensure accountability for
its decisions, actions, and performances.
HOWEVER, maximizing executive compensation is NOT a goal of corporate governance.

Corporate governance involves a set of relationships between a company’s management, its

board, its shareholders, and other stakeholders.
Corporate governance also provides the structure through which the objectives of the company
are set, and monitoring performance are determined.

The Chief Ethics Officer should NOT Proposes and Implements any processes or procedures for the
organization such as design or implement a new whistleblower program for the organization, because
the Implementation is a management function and therefore it is considered conflict of the
independence of the internal audit activity.
Recommending or evaluating a new whistleblower program does not conflict with the independence
attribute of the internal audit activity.

Recommend or evaluate but not implement of any new process or procedure does not conflict
with independency of IAA.

Stakeholders are persons or entities who are affected by the activities of the entity. Among others,
these include (1) shareholders, (2) employees, (3) suppliers, (4) customers, (5) neighbors of the
entity’s facilities, and (6) government regulators.

Internal and external auditors should be used effectively to ensure:

(1) Their independence.
(2) The adequacy of their resources and the scope of their activities.
(3) The effectiveness of operations and their interaction among the board, management, and
assurance providers.
Moreover, an entity should have an independent and objective board with sufficient expertise,
experience, authority, and resources to conduct independent inquiries.
“Supporting accomplishing strategic objectives and measuring performance as governance
principles are NOT directly related to Internal and external auditors”

Ethics Advocates: ‫دعاة أخالق‬

It is the responsibility of senior management, the internal auditors, and the employees in the
accounting department to be ethics advocates whether officially or informally.

Subunit 2: Roles of Internal Auditors in Governance

The audit plan should include higher-risk governance processes. It should define:
(1) The nature of the work
(2) The governance processes
(3) The nature of the assessments, e.g., consideration of specific risks, processes, or activities.

The internal auditor should consider the following in assessing the Governance:
• Audits of specific processes.
• Governance issues arising from audits not focused on governance.
• The results of other assurance providers’ work.
• Other information such as adverse incidents indicating an opportunity to improve governance.

The design and practice of effective governance vary with:

• The size, complexity, and life-cycle maturity of the organization;
• The organization’s stakeholder structure; and
• Legal and cultural requirements.

The CAE should consider the following in Planning Assessments of Governance:

• An audit should address Controls in governance processes that are designed to prevent or detect
events with negative effect on the organization;
• Controls within governance processes are significant in managing multiple risks
• If other audits assess controls in governance processes, the auditor should consider relying
on their results.
• Whether all major decisions have been authorized by Senior Management (Not board).
• Whether he can rely on the assessment of internal control performed by external auditors.
• Whether employees at all levels of the organization adhere to the code of ethics.

Roles of the internal audit activity in Best Practice Governance Activities:

1- Reports significant audit issues.
2- Supports the board in enterprise-wide risk assessment.
3- Conducts follow-up and reports on management’s response to external audits.

The design and implementation of governance processes are the responsibility of the board and
management.
The Chief Audit Executive (CAE) is likely to use Consultants to Assess Governance when the
organization’s process is:
(1) Not mature, or
(2) Control issues are known.

The CAE may use consultant to assess governance if the Governance is NOT matured OR Control
issues are known.
Governance has a range of definitions depending on the circumstances. The CAE should work with
the board and senior management, as appropriate, to determine how governance should be defined
for internal audit purposes.

Governance models generally treat governance as a process or a system that is NOT static. The
approach in the Standards emphasizes the board and its governance activities.

Governance does NOT exist as distinct processes and control structures but instead as
relationships with risk management and control.

Subunit 3: Corporate Social Responsibility (CSR)

ISO 14000 is a set of criteria established by the International Organization for Standardization for an
ENVIRONMENTAL MANAGEMENT SYSTEM. This system is not required but provides standards for
implementing and maintaining environmental management systems. Additionally, such systems
provide lower costs and improve corporate image.

ISO 14000 is merely a set of criteria for certification of an environmental management system. It
states no requirements and has no enforcement process.

The benefits of implementing ISO 14000 are:

(1) Decrease the cost of waste management
(2) Provide savings in consumption of energy and materials
(3) Lower distribution costs
(4) Improve corporate image among regulators, customers, and the public.

CSR can be profitable. Serving the community involves certain costs; however, the benefits of CSR may
exceed the costs. Examples of the benefits are:
1- Positive public perception on a local, national, and international level
2- Retention of workers.
3- Charity as a form of advertising (brand building).
4- Deductibility of charitable donations.
Four responsibilities that an organization must fulfill to be called Socially Responsible:
(1) Economic responsibility
(2) Legal responsibility
(3) Ethical responsibility
(4) Philanthropic responsibility.
Compliance with an ISO 14000 criterion is not one of the four responsibilities to be called socially
responsible.

The Global Reporting Initiative (GRI) has developed a sustainability-reporting framework that
provides specific guidance on measuring CSR performance against predefined criteria.

Corporate Social Responsibility Strategies (To measure CSR Performance):

1- Pro-action: is when the organization takes the initiative in implementing a CSR program that
serves as an example for the industry.
2- Accommodation: is when the organization assumes additional responsibilities only when
pressured.
3- Defense: is when the organization uses legal action or public relations efforts to avoid
additional responsibilities.
4- Re-action: is when the organization denies or ignores responsibility and tries to maintain the
status quo.

What are the risks of failing to implement and effective CSR?

1- Loss of the organization’s brand or reputation.
2- Failing to comply with regulations or contractual obligations
3- Employees leaving the organization and difficulty attracting new employees.

CSR Business Activities generally include:

(1) Establishing and communicating policies and procedures.
(2) Setting objectives, performance goals, and strategies
(3) Communicating CSR principles and controls into the business decision making processes
(CSR Risks will be considered before projects are approved)
(4) Monitoring, evaluating results, and benchmarking.
(5) Engaging stakeholders.
(6) Auditing.
(7) External and internal reporting of results.

CSR controls are actions taken to manage CSR risks. Thus, an organization considers CSR risks
before projects are approved and communicates and integrates CSR principles and controls into
the business decision-making processes.

“Integrating CSR principles and controls into the decision-making process is the CSR business
activity which an organization would consider CSR risks before projects are approved”
CSR elements:
1- Governance:
Tests relating to the governance element most likely concern the board and reporting
information to stakeholders.
2- Ethics:
It includes determining whether the organization reflects an anti-corruption culture, for
example, in the organization’s risk assessment, code of conduct, or policies.
3- Environment:
It is concern about social and environmental issues (e.g., social and environmental impact
assessments).
4- Working conditions and Human Rights:
It is concern about fair pay and hiring practices, among others.
5- Transparency:
It is most likely concern about protecting personal information of our clients and customers.
6- Health, Safety and Security:
The Company consider everything done and reporting any issues.

CSR Stakeholder Groups are:

1- Customers
2- Employees and their families
3- The environment
4- Neighboring communities
5- Shareholders
6- Suppliers.
Unit 4: Risk Management | Subunit 1: Risk Management Processes

The internal audit activity should assist the organization by identifying and evaluating significant
exposures to risk and contributing to the improvement of risk management and control systems.

The internal audit activity must evaluate risk exposures and evaluates the adequacy and
effectiveness of controls related to governance, operations, and information systems regarding the
safeguarding of assets (Impl. Std. 2120.A1). For example, internal auditors evaluate risk exposure
arising from theft, fire, improper or illegal activities, and exposure to the elements.

Misapplication of accounting principles Related to Reliability of Information

Procedures that are not cost justified Related to Efficiency
Under-usage of facilities Related to Efficiency of operations
Exposure to the elements Related to Safeguarding of assets

The internal auditor should evaluate the adequacy of controls over the safeguarding of assets from
all of the following:
- Improper employee usage (Not Under-usage of facilities)
- Misappropriation schemes.
- Exposure to the elements.
- Theft.
- Fire.
- Improper or illegal activities.

Senior management and the board determine the role of internal auditing in the risk management
process.

Their view on internal auditing’s role is likely to be determined by factors such as:
- The culture of the organization.
- Ability of the internal audit staff.
- Local conditions and customs.

Internal auditors need to obtain sufficient and appropriate evidence to determine that key objectives
of the risk management processes are being met to form an opinion on the adequacy of risk
management processes.

The correct order of steps in the risk management process is as follows:

1. Identify context
2. Identify risks
3. Assess and prioritize risks
4. Formulate risk responses
5. Monitor risk responses.
Another order of the steps:
1. Risk identification
2. Risk Assessment
3. Risk prioritization
4. Risk Response Planning
5. Risk monitoring

The following are roles of Senior Management (Not the Internal Auditor):

- Determine how the risk should be managed.

- Update the risk management process based on risk exposures.
- Design controls to mitigate the identified risks.

The role of Internal Auditor is to:

provide reasonable assurance on the management of the risk.

The Documents which demonstrate the internal audit activity’s roles regarding risk management are
the following:

1- The Internal Audit Charter.

2- The Internal Audit Plan
3- Minutes of meetings in which internal audit recommendations were discussed.
4- Internal audit risk assessments.
5- Internal audit action plans addressing risks.

Maximizing shareholder value is a comprehensive approach that relates to risk management

strategies across the organization (This goal sets risk management strategies at the optimum level).

Assessing Significant risks and Ongoing monitoring activities by the internal audit activity is part
of the risk management process, but review of previous risk evaluation reports by management, internal
auditors, external auditors, and any other sources is an audit procedure, to obtain evidence for an
assessment.

Overseeing the establishment, administration, and assessment of the organization’s system of risk
management processes is the role of senior management, not the CAE.

In situations where the organization does NOT have Formal Risk Management Processes, the CAE
should formally discuss with management and the board their obligations to understand, manage, and
monitor risks within the organization and the need to satisfy themselves that there are processes operating
within the organization. Even if informal, that’s provide the appropriate level of visibility into the key
risks and how they are being managed and monitored.

The key input in the evaluation of risk is informed judgment of the internal auditors.

The following are important statements regarding Monitoring Risk Response:

- The manager of an operating unit is in the best position to monitor the effects of the chosen risk
response strategies.
- The two most important sources of information for ongoing assessments of the adequacy of risk
responses are those closest to the activities themselves and the audit function.
- Analyzing risks and responses are among the normal duties of internal auditors.
- Operating managers may not always be objective about the risks facing their units.

The following processes or tools can be used as ongoing internal assessments of the performance
of the internal audit activity:
1. Analyses of audit plan completion and cost recoveries.
2. Selective peer reviews of work papers by staff involved in the respective audits.
3. Feedback from audit customers and stakeholders.
Validation by a qualified independent reviewer is NOT a process of ongoing internal Assessement.

The Risk Analysis Process may be Formal or Informal involves:

1- Assessing the significance of an event.

2- Assessing the event’s likelihood.
3- Considering the means to manage the risk.

Risk Modeling in a consulting service is done by ranking the engagement’s potential to:
(1) Improve management of risks
(2) Add value
(3) Improve the organization’s operations

Determining risk management processes are effective is a judgment resulting from the internal
auditor’s assessment that:

(1) Organizational objectives support and align with the organization’s mission;
(2) Significant risks are identified and assessed;
(3) Appropriate risk responses are aligning with the organization’s risk appetite.
(4) Relevant risk information is captured and communicated in a timely manner

The internal audit activity have a consulting role in identifying, evaluating, and implementing risk
management methods and controls.

Done by Senior Management: After all risks that could impact the achievement of organizational
objectives have been identified, the next step is to rank the risk areas in terms of seriousness
(Prioritization). i.e. the combination of probability (Likelihood) and potential impact.
The senior management and the board can use the Internal Audit Activity as a source of information
about risk management process considering the following facts:

- The IAA is objective about risk management process as all internal auditors must have an
impartial, unbiased attitude and avoid any conflict of interest.
- Operational management proximity to the daily functioning of the RMP makes it important
source of information, however the IAA still considered an important source of information as
well.
- The board approves the internal audit activity’s work plan; therefore, the IAA needs information
about RMP before the Senior management and the board.
- The internal audit activity should be used as a source of information about the success of
ongoing risk management activities.

The two most important sources of information for ongoing assessments of the adequacy of risk
responses (and the changing nature of the risks) are those Closest to the Activities Themselves and
the Audit Function.

Operating managers may not always be objective about the risks facing their units, especially if they
had a stake in designing a particular response strategy.

Risk Management Processes may be:

- Formal or Informal
- Quantitative or Subjective
- Embedded in Business Units or Centralized.

An impact factor ‫ نتائج الحدث‬is a potential result of an event. These events are usually identified through
the risk assessment process. For example, the consequences of fraud may include direct financial
loss in the form of fines and penalties.

“An impact factor of fraud involving senior management is fines and penalties”

Potential override of internal controls is a cause of an event, NOT an impact factor.

For an engagement to evaluate the controls over credit approval, the internal auditor does NOT
need to establish valuation criteria for the outstanding debt. Debt already acquired by the organization
does not require further credit approval.

Also, the adequacy of controls is NOT the primary objective of an engagement involving the valuation
of complex debt instruments.
(The internal auditor does NOT need to determine whether loans and other liabilities are valued in
accordance with industry regulations)
The following are Core Assurance Roles provided by the Internal Audit Activity:

1. Giving assurance on risk management processes.

2. Evaluating risk management processes.
3. Reviewing the management of key risks.

Risk management, at any level, consists of:

(1) Identifying potential events that may affect the entity.
(2) Managing the associated risk to be within the entity’s risk appetite.

Risk management should provide Reasonable Assurance that entity’s objectives are achieved.
Risk management is a key responsibility of Senior Management and the Board.
Boards have an oversight function and determine that risk management processes are in place,
adequate, and effective.

The Risk Appetite is the level of risk that an organization is willing to accept (The IIA Glossary).
Thus, communicating about the risk appetite with external parties is an important aspect of risk
management. It allows the organization to develop strategies to work with suppliers who may have
different objectives.

The following are all factors that could influence an organization’s risk appetite:

• The viewpoints of the major stakeholders, including the views of the company’s major
shareholders, bondholders, lenders, analyst, and many others. Each stakeholder might have a
different opinion as to how much risk a company should take on.
• Accounting factors, such as the volume of transactions, the complexity of the accounting
system,
• Changing rules and regulations.
• The opportunity for fraud to be committed.
• External factors, such as changing economic considerations, changes in industry, changes
in technology, etc.
• Governmental restrictions.
• Entity-level factors, such as the quality and quantity of hired personnel, quality for training
courses, changes in key personnel, etc.
Unit 4: Risk Management
Subunit 2: COSO Framework - Enterprise Risk Management (ERM)

An entity’s risk capacity is the maximum that can be assumed. The risk appetite is the maximum the
entity is willing to accept. Both appear on the risk profile.
But the purpose of the Risk profile is to view the relationship between RISKS and the Strategy or
Business Objective AND their effect on PERFORMANCE.
“Risk Profile is a view of the relationship between Risk and Performance”

The COSO’s Internal Control Framework:

Is a process effected by board, management, and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives relating to operations, reporting, and compliance.

The COSO ERM framework:

Is defined as the culture, capabilities, and practices that organizations rely on to manage risk in
creating, preserving, and realizing value.

The COSO ERM framework incorporates some concepts of the COSO Internal Control Framework.

The COSO ERM framework is a basis for coordinating and integrating all of an organization’s risk
management activities. Effective integration to:
(1) Improves decision-making.
(2) Enhances performance.

The components and principles of ERM, and their related controls should be Present and
Functioning to help the entity achieve its strategy and business objective.
“Present” means such components, principles, and controls exist in the design and implementation
of ERM.
“Functioning” means to continue to operate to achieve strategy and business objectives.
 What are the Components of ERM and what each one addressing?

Component What is it address?

1- Governance and culture Addresses board responsibilities, operating structures,

(Supporting) and core values, among others.

Addresses information systems, communication

2- Information, communication,
channels, and reporting on risk, culture, and
and reporting. (Supporting)
performance.

3- Strategy and objective- Addresses business context, risk appetite, strategy

setting (Common Process) selection, business objectives and risk profile.

4- Performance Consist of identifying, assessing, prioritizing,

(Common Process) responding to, and developing a portfolio view of risk.

5- Review and revision Addresses the review of, and changes in, strategy,
(Common Process) performance targets and tolerance, and ERM practices

The Supporting Aspect Components are:

a) Governance and culture
b) Information, communication, and reporting.

The Common Process Components are:

a) Strategy and objective-setting,
b) Performance
c) Review and revision.

Five principles relate to Governance and Culture:

1) The board exercises risk oversight.
2) The organization establishes operating structures.
3) The organization defines the desired culture.
4) The organization demonstrates commitment to core values.
5) The organization capable individuals (Human Capital or Human Resources).

Three principles related to the Information, Communication and Reporting:

1) The organization leverages its information systems to support ERM
2) The organization uses communication channels to support ERM
3) The organization reports on risk, culture, and performance at multiple levels and across the
entity.
Four principles relate to Strategy and Objective Setting:
1) The organization analyzes business context and its effect on the risk profile.
2) The organization defines risk appetite (the amount of risk it is willing to accept in pursuit of value).
3) The organization evaluates strategies and their effects on the risk profile.
4) The organization establishes business objectives that align with and support strategy.

Five principles relate to Performance:

1) The organization identifies risks that affect the performance of strategy and business
objectives.
2) The organization assesses the severity of risk. Severity is a measure of such considerations as
impact, likelihood, and the time to recover from events.
3) The organization prioritizes risks at all levels.
4) The organization identifies and selects risk responses, recognizing that risk may be managed
but not eliminated. Risks should be managed within the business context and objectives,
performance targets, and risk appetite.
5) The organization develops and evaluates its portfolio view of risk.

Three principles relate to Review and Revision:

1) The organization identifies and assesses changes that may substantially affect strategy and
business objectives.
2) The organization reviews entity performance results and considers risk.
3) The organization pursues improvement of ERM.

The following activities are included in ERM: -

1. Provide the base of determining risk appetite.
2. Identifying potential risks.
3. Communicating information on risks consistently and at all levels.
4. Providing assurance on the effectiveness of risk management.

When ERM is effective regarding all of the objectives, the board and management have reasonable
assurance that:
(1) Reporting is reliable.
(2) Compliance is achieved.
(3) The extent of achievement of strategic and operations objectives is known.
Sharing Risk reduces the severity of the risk by transferring some risk to another party.
Examples of Sharing Risks (Mitigating Control):
- Insurance
- Hedging
- Joint ventures
- Outsourcing
- Contractual agreements with customers and vendors, or other business partners.
Example: Purchasing Currency Futures is a risk transfer (Sharing).

Risk Retention: is a risk response strategy which accepts the risk of an activity and is synonymous with
self-insurance.
Example: The company maintains a fund to pay for repairs to warehouse equipment.
The company accepts the risk of equipment repairs by using a form of self-insurance (a company fund) to
pay for repairs.

The entity defines risk appetite in the strategy and objective-setting component of ERM. In defining
risk appetite, the entity considers its mission, vision, culture, prior strategies, and risk capacity.
“The underlying premise of the COSO ERM framework is that every organization exists to provide
value for its stakeholders”

The COSO’s Internal Control Framework is a process affected by an entity’s board of directors,
management, and other personnel, designed to provide reasonable assurance regarding the
achievement of objectives relating to operations, reporting, and compliance.

According to COSO ERM Framework:

1- Complexity: is the nature and scope of a risk, e.g., interdependence of risks.

2- Velocity: is the speed at which a risk affects the entity.
3- Persistence: is how long a risk affects the entity, including the time it takes the entity to recover.
4- Adaptability: is the entity’s capacity to adjust and respond to risks.
5- Recovery: is the entity’s capacity (not the time) to return to tolerance.

Severity of Risk is measured by combinations of risk’s impact and likelihood.

According to the COSO ERM framework:

- Strategy is the plan to achieve the entity’s mission and vision and apply its core values.
- Business objectives are the steps taken to achieve the entity’s strategy.

- Business objectives are (SOMO):

(1) Specific, (2) Observable, (3) Measurable, and (4) Obtainable.

- Tolerances is the range of acceptable variation in performance.

- Business Contexts may be characterized as:

Complex, Dynamic, Or Unpredictable.

The following may relate to Business Objectives:

1. Operational excellence.
2. Financial performance.
3. Compliance obligations.

An Enterprise Risk Management (ERM) Program is MOST EFFECTIVE when led by a Centralized
Coordinator, such as a Risk Officer. This person facilitates ERM by working with other managers in
establishing effective risk management in their areas of responsibility.

The following activities are undertaken as part of Risk Management:

1- Risk Identification
2- Risk analysis
3- Risk Response

BUT Risk Exposure is NOT considered an activity, it is a condition for the risk.

Chief Risk Officer (CRO):

A CRO is a member of management assigned primary responsibility for (ERM) Enterprise Risk
Management Processes.

“The function of the chief risk officer (CRO) is most effective when the CRO Monitors risk as part of
the enterprise risk management team”

Directors must possess certain qualities to be effective:

• A majority of the board should be outside directors.

• Directors generally should have years of experience in industry or in corporate governance.
• Directors must be willing to challenge management’s choices. Complacent directors increase the
chances of adverse consequences.
Portfolio view is the view of risk which is fully integrated, it is a composite view of the risks related to
entity-wide strategy and business objectives and their effect on entity performance.

Which of the following is the most accurate term for a process to identify, assess, manage, and
control potential events or situations to provide reasonable assurance regarding the achievement of
the organization’s objectives?
A. The internal audit activity.
B. Control process.
C. Risk management.
D. Consulting service.

Study Unit 4: Risk Management

Subunit 3: ISO 31000 Risk Management Frameworks:

ISO 31000 is a principles-based approach to risk management. Its principles are the foundation for
risk management. They also communicate the characteristics, value, and purpose of effective and
efficient risk management.

The ISO 31000 model describes three approaches to provide assurance on risk management processes:
1- The Maturity Model Approach: (Value is added at each stage of maturation)
It is based on the principle that effective risk management processes develop as value is added at
each stage of maturation. Accordingly, this approach determines where risk management is on the
maturity curve and whether it:
(1) Is progressing as expected
(2) Adds value
(3) Meets organizational needs.
2- The Process Element Approach: (Certain Elements have been implemented)
It determines whether certain elements (i.e., formal risk identification, formal risk analysis, risk
evaluation, etc.) have been implemented.
3- The Key Principles Approach: (Risk Management Principles are in place)
It determines whether the risk management principles are in place (e.g., integrated, structured,
comprehensive, and customized).
Exam Alert: There are two approaches to risk management which are widely practiced: top down (start
with objectives, risk and then controls over the process) and bottom up (start with the process,
then controls, risk, and objectives).

Exam Alert: Understand bottom up approach. It is a philosophy that an organization need to identify risk
in following level: Process Level - Project/Department Level - Vertical/Functional Level- Business
Unit Level-Organization Level.
Bottom-up approach could completely consume all resources and take all your time, but it would
represent the most precise picture of the risk and could be completely quantified. However, it is not
widely used.

ISO 31000 is based on the Plan, Do, Check, and Act method:

Five Components of the Risk Management Framework of the ISO 31000 model:
(I I I D E)
1- Integration
2- Implementation
3- Improvement
4- Design
5- Evaluation

Eight Principles of Risk Management as of ISO 31000 Model:

(I I D – HB – CCC)
1- Integrated
2- Inclusive
3- Dynamic
4- Human and Culture Factors
5- Best Information available
6- Customized
7- Continual Improvement
8- Comprehensive and Structured

The DESIGN of the Framework according ISO 31000 involves:

1. Understanding the organization and its context.
2. Articulating commitment to risk management
3. Assigning and communicating authorities, responsibilities, and accountabilities for risk management
roles at all levels
4. Allocating resources (e.g., people, experience, processes, and information systems) to support risk
management.
5. Establishing communication and consultation.
The Elements of the ISO 31000 Risk Management Process: (CS RRMR)
1. Communication and consultation.
2. Scope, context, and criteria.
3. Risk assessment (Analysis) (including Identify, analyze and Evaluate Risks).
4. Risk treatment (including risk appetite).
5. Monitoring and review.
6. Recording and reporting.

Risk appetite is considered during risk treatment, but is not a separate element.
The risk assessment element of a risk management process is the process of identifying, analyzing, and
evaluating risk.
Risk evaluation supports decision making by comparing the defined risk criteria with the outcome of
risk analysis and determining whether any action is required.

How Risk Assessment supports decision making?

“Risk Assessment Compares the established risk criteria with the results of the risk analysis”
Unit 5: Controls: Types and Frameworks | Subunit 1: Overview of Control

The elements of control include: The following are implied in the definition of Control.

(1) Establishing standards for the operations to be controlled.

(2) Measuring performance toward standards and goals (Measurement of progress toward goals).
(3) Uncovering deviations from plans.
(4) Taking corrective action.
(5) Reappraising the standards based on experience.

“Assignment of Responsibility of Deviations Is Not Part of The Control Function”

Assigning responsibility is not part of the controlling function.

Planning provides needed tools for the control process by establishing standards, i.e., the first step.

Control is “any action taken by management, the board, and other parties to manage risk and
increase the likelihood that established objectives and goals will be achieved”

“Control is the result of proper planning, organizing, and directing by management”

Efficient Performance: accomplishes objectives and goals in an accurate, timely, and economical
fashion.

Cost-benefit considerations apply even to employee theft, so the cost-benefit should be calculated in order
to decide if the control needs to be implemented or not. A Limiting Factor is that the cost of internal
control should not exceed its expected benefits.

Controls DO NOT directly address management’s planning, organizing, and directing processes.
Internal auditors evaluate management processes to determine whether reasonable assurance exists that
objectives and goals will be achieved.

“Control processes are expected to ensure that operations are performed efficiently and achieve
established results”

An aversion to risk Organization can use the Standard Operating Procedures (SOPs) as controls
as it will be more effective than in a risk tolerant organization (An entrepreneurial Focus Organization)

An organization with an entrepreneurial focus has a high risk appetite and risk tolerance.

The more risk averse an organization, the more likely its members will comply with controls.
Internal control is a process, effected by those charged with governance, management, and other
personnel, designed to provide reasonable assurance about the achievement of the entity’s
objectives.
They include:
(1) Reliability of financial reporting
(2) Effectiveness and efficiency of operations
(3) Compliance with applicable laws and regulations.

Internal auditors must:

• Ascertain that management has established adequate criteria to determine whether objectives and
goals have been accomplished.
• If adequate, internal auditors must use management’s adequate control criteria in their
evaluation.
• If inadequate, internal auditors must work with management to develop appropriate control
evaluation criteria.

Collusion is an inherent limitation of internal control. Manual or automated controls can be

circumvented by collusion.

Limitations of Internal Control examples:

- Management override.
- Faulty human judgment.
- Human Error in decision making.
- Collusion among employees. (Controls circumvented by collusion).
- Simple Error or Mistake.
- Management makes judgments about the extent of controls it implements and designs.
- The cost of internal control should not exceed its benefits.

To determine whether management has overridden approvals, the auditor should compare actual
expenditures with budgeted amounts. (Verifying that approved spending limits are not exceeded).

Internal controls are designed to provide reasonable assurance that material errors or fraud will be
prevented, or detected and corrected, within a timely period by employees in the course of
performing their assigned duties.
❖ The Limitations of Internal Controls increase the risk that an internal auditor may not detect a
material error or fraud during an audit.

❖ Failure of Segregation of Duties (Incompatible duties) is NOT a limitation of internal control.

Segregation of duties is a category of control activities.
Manual controls may be more suitable than Automated Controls where judgment is required, such
as:
(1) For large, unusual, or nonrecurring transactions.
(2) For circumstances where misstatements are difficult to define, anticipate, or predict.
(3) In changing circumstances that require a control response outside the scope of the control.
(4) In monitoring the effectiveness of automated controls.

Unit 5: Controls: Types and Frameworks | Subunit 2: Types of Controls

Input Controls or Edit Checks Types:

1- Validity check: Validity checks compare the data entered in a given field with a table of valid values
for that field. For example, a customer number must already be on the list of approved customers, it
is used to detect a data input error in the customer account number field.
2- Limit, Reasonableness or Range check: Reasonableness, limit, and range checks are based upon
known limits for given information. For example, the hours worked per week are not likely to be greater
than 45; it is used to catch certain types of errors within the payment amount field of a transaction.
3- Control total: A record count is a control total of the number of records processed during the
operation of a program. Financial totals summarize dollar amounts in an information field in a
group of records.
4- Hash total: A hash total is the number obtained from totaling the same field value for each
transaction in a batch. The total has no meaning or value other than as a comparison with
another hash total.
5- Record count: A record count determines the number of documents entered into a process.
6- Echo check: An echo check tests the reliability of computer hardware. For example, the CPU
sends a signal to a printer that is echoed just prior to printing. The signal verifies that the proper print
position has been activated.
7- Check digit: A self-checking number is generated by applying an algorithm to an identification
number.
8- Check digit verification: Check digit verification is used to identify incorrect identification
numbers. The digit is generated by applying an algorithm to the ID number. During input, the check
digit is recomputed by applying the same algorithm to the entered ID number.
9- Redundant data check: A redundant data check searches for duplicate information in a database.
10- Sequence checks: Sequence checks are based on the logic that processing efficiency is greatly
increased when files are sorted on some designated field. If the system discovers a record out
of order, it may indicate that the files were not properly prepared for processing.
11- Format checks: Format (field) checks are tests of the characters in a field to verify that they are
of an appropriate type for that field. For example, an alphabetic character field would not allow a
number to be entered.
 The process or the case The Control needed

It is used to detect a data input error in the customer

Validity check
account number field.
Limit Check
It is used to catch certain types of errors within the
Reasonableness Check
payment amount field of a transaction.
Range Check
Total of the number of records processed during the
Control total
operation

The number of documents entered into a process Record count

The total number of the same field value for each

transaction in a batch, to compare with other total
number. Hash total
(Control total that is the sum of a field without a
defined meaning)

To test the reliability of computer hardware. Echo check

It is used to identify incorrect identification numbers

Check digit Verification
Ex: Entering incorrect ID number in the system.

A self-checking number is generated by applying an

Check Digit
algorithm to an identification number.

To search for duplicate information in a database Redundant data check

Files are sorted on some designated field, to

Sequence checks
discovers a record out of order.

To test the characters in a field to verify that they

Format checks
are of an appropriate type for that field.

Types of Controls (FIFA):

1- Feedforward control: Feedforward controls anticipate and prevent problems. Policies and
procedures serve as feedforward controls because they provide guidance on how an activity
should be performed to best ensure that an objective is achieved.
2- Implementation control: Implementation controls are applied during systems development.
3- Feedback control: Control which gives feedback on the accomplishment of the transaction.
4- Application control: Application controls apply to specific applications, e.g., payroll or
accounts payable
When a copy of the sale invoice is not received by an organization’s shipping department, an employee
requests the document from the proper authority. This process is an Active, detective control

When shipping documents are not received in the shipping department (such as copies of the sales
invoice, customer order form, and bill of lading), the clerk should attempt to obtain the proper
documentation from the originating organization. This type of control is detective because it detects and
attempts to correct an undesirable event that has occurred. It is also active because it takes a conscious
intervention by the clerk to ensure the documentation is received.

Examples for Preventive Control:

• Segregation of duties.
• Using prenumbered standard purchase order forms.
• Review and approval of each procurement action.
Directive control is designed to cause or encourage a desirable event to occur.
e.g., Providing management with assurance of the realization of specified minimum gross margins
on sales is a Directive Control.

What is Audit Trail (Management Trail)?

An audit trail (or management trail) is a processing history control that enables management to track
transactions from their source to their output. Such controls are very important in an EDI system.

Application Controls:

Application controls are those that pertain to the scope of individual Business Processes or
Application Systems.
The objectives of application controls are to ensure that:

(1) Input data are accurate, complete, authorized, and correct.

(2) Data are processed as intended in an acceptable time period.
(3) Data stored are accurate and complete.
(4) Outputs are accurate and complete.
(5) A record is maintained to track the process of data from input to storage and to the eventual output.

Establishing Logical Access Controls over infrastructure, applications, and data is an IT General
Control.
IT General Controls:

The IT general controls over information and related technologies are those that pertain to all systems
components, processes, and data present in an organization’s IT environment.

The objectives of IT general controls are:

1- To ensure the appropriate development and implementation of applications.
2- The integrity of program and data files and of computer operations.
3- Establishing logical access controls over infrastructure, applications, and data

The most common IT General Controls are:

(1) Logical access controls over infrastructure, applications and data.
(2) System development life cycle controls.
(3) Program change management controls.
(4) Physical security controls over the data center.
(5) System and data backup and recovery controls.

• The Operating controls should be designed with regard to the management functions of
planning, organizing, directing, and controlling, it is often DIFFICULT for internal auditors to
evaluate because of the lack of criteria or standards, because those controls are used in the
management processes of directing and controlling and are based on comparison of results with
standards, therefore, standards become more difficult to determine.

• The Output controls ensure that processing results are complete, accurate, and properly
distributed. An important output control is user review. Users should be able to determine when
output is incomplete or not reasonable, particularly when the user prepared the input

• The Input controls designed with primary consideration given to authorization, validation, and
error notification. Those controls that pertain to the scope of individual business processes are
application controls. They include the data cycle process from input to storage and to the eventual
output.
Controls by Levels (T-P-EM-EG):

• Transaction-Level Controls are designed to achieve transaction objectives and to address

risks specific to transactions.
Examples include IT Application Controls, Exception Reports, And Segregation Of Duties.
• Process-Level Controls are built to achieve process objectives and to address process risks.
Examples include Physical Inventory Counts, Performance Assessment, And Review of
Revenue Center Reports.
• Entity-Level Management Oversight Controls are implemented by management at the business
unit level to achieve business unit objectives and address business unit risks. Examples
include IT General Controls and Period-End Controls.
 • Entity-Level Governance Controls are established by the board of directors at the highest level
(governance level). They include organizational policies and procedures that define the
entity’s culture and communicate its expectations.
Examples include IT Policies, The Code Of Conduct, Oversight Of Controls and Setting The
Risk Appetite.

What is the Control Matrix?

A control matrix is useful for matching controls with risks. Controls do not necessarily match risks one-
to-one. Certain controls may address more than one risk, and more than one control may be needed to
address a single risk (More Than One Control May Be Needed to Adequately Address A Single Risk,
This Is A Characteristic of a Control Matrix)

End of Subunit 2: Types of Controls

*******************************************

Unit 5: Controls: Types and Frameworks | Subunit 3: Control Frameworks

The control environment is a set of standards, processes, and structures that includes: -

(The Internal Control Principals in COSO Internal Control Framework)

1. Integrity and ethical values

2. Commitment to competence
3. Board of directors or audit committee
4. Management’s philosophy and operating style
5. Organizational structure
6. Assignment of authority and responsibility
7. Human resource policies and practices

Internal control as a process designed to provide reasonable assurance regarding the achievement
of objectives related to:
1- Reliability of financial reporting.
2- Effectiveness and efficiency of operations.
3- Compliance with laws and regulations.

• Senior management is primarily responsible for establishing a proper organizational culture and
specifying a system of internal control, Senior Management is not likely to be involved in the
detailed design and day-to-day operation of a control system.
The eSAC Model

What are the five eSAC IT Business Assurance Objectives?

1- A = Availability A
2- C = Capability Court
3- F = Functionality Finds
4- P = Protectability People
5- A = Accountability Accountable

SOFT CONTROLS:

Facts about soft controls:

- The COSO and CoCo models Emphasize Soft Controls.

- Communication of ethical values and fostering of mutual trust are soft controls in CoCo model.
- Soft controls have become more necessary as technology advances have empowered employees.
- Control Self-Assessment is an approach to audit soft controls, which is the involvement of
management and staff in the assessment of internal controls within their work group.

The four components of CoCo Model are: -

- Purpose.
- Commitment
- Capability
- Monitoring
- Learning
P = Purpose Police
C = Commitment Can
C = Capability Catch
M = Monitoring Many
L = Learning Lawbreakers

COSO Model Components are: C R I M E

1- Control activities are the policies and procedures helping to ensure that management directives
are executed and actions are taken to address risks to achievement of objectives.
2- Risk assessment identifies and analyzes external or internal risks to achievement of the objectives
at the activity level as well as the entity level.
3- Information and Communication enable the organization to obtain, generate, use, and communicate
information to (a) maintain accountability and (b) measure and review performance.
4- Monitoring is a process that assesses the quality of the system’s performance over time, it is designed
to ensure that internal controls continue to operate effectively.
5- Control Environments reflect the attitude and actions of the board and management regarding
the significance of control within the organization.
Internal Control Frameworks Is Internal Control

1- COSO: Committee of Sponsoring Organizations of the Treadway Commission - Internal Control –

Integrated Framework.
2- COBIT: Integrated framework for Information Technology controls issued by the IT Governance
Institute.
3- The Turnbull Report: Guidance for Directors on the Combined Code, issued by the Institute of
Chartered Accountants in England and Wales.
4- CoCo: Guidance on Control (original title: Criteria of Control) issued by the Canadian Institute of
Chartered Accountants.

Stages of the Monitoring-for-change continuum

(Four steps in the monitoring-for-change continuum described in the 2009 COSO)
1- Control baseline: to ensure whether controls have been implemented to accomplish the
organization’s internal control objectives.
2- Change Identification: is the one in which separate and ongoing evaluations to identify and address
changes in internal control effectiveness can best be accomplished.
3- Change management: is the process used when changes have occurred or been identified. The
changes must be managed, and a new control baseline should be established.
4- Control revalidation: is the process of using monitoring procedures to revalidate the effectiveness
of controls.
What does each objectives address?

Strategic objectives. Consistent with and support the entity’s mission

Operations objectives. Address effectiveness and efficiency.

Reporting objectives. Relate to reliability of information contained in reports.

Compliance objectives. Relate to adherence to laws and regulations

• You need to read about COBIT 2019 framework.

• Under the COBIT 2019 framework, Governance system components can be Generic or Variant.
Generic components are applied in principle to any circumstances. Variant components are
designed for a given purpose or context in a focus area.

• Under the COBIT 2019 framework, Governance distinct from management is one of the six principles
for a governance system. Governance tasks should be differentiated from management tasks.
Accordingly, governance and management activities and structures cannot be combined.
Governance Principles in COBIT 2019:

1- Provide Stakeholders Value.

2- Holistic Approach.
3- Dynamic Governance System.
4- Governance distinct from Management.
5- Tailored to Enterprise Needs.
6- End to End Governance System.

COBIT 2019 Governance Framework Principles

1- Based on Conceptional Model.

2- Open and Flexible.
3- Aligned to Major Standards.

COBIT contain 4 domains for activities and risks within IT that need to be managed:
1- Plan and Organize (PO): Identification of the way IT can best contribute to the achievement
of the business objectives. Furthermore, the realization of the strategic vision needs to be
planned, communicated and managed for different perspectives. Finally, a proper organization
as well as technological infrastructure should be put in place.
2- Acquire and Implement (AI): Changes in and maintenance of existing systems are covered
by this domain to make sure the solutions continue to meet business objectives
3- Deliver and Support (DS): This domain is concerned with the actual delivery of required
services, which includes service delivery, management of security and continuity, service
support for users, and management of data and the operational facilities
4- Monitor and Evaluate (ME): This domain addresses performance management, monitoring of
internal control, regulatory compliance and providing governance.
Unit 6: Controls: Application | Subunit 1: Flowcharts and Process Mapping
Shapes used in the flowcharts:

1- Diamond shape: The diamond-shaped symbol represents a decision point or tests of a condition
in a program flowchart, that is, the point at which a determination must be made as to which logic
path (branch) to follow.

2- Rectangle Shape:

• A pre-defined processing step is represented by a rectangle with double lines on either side.

• Process or a single step in a procedure or program.

• Computer operation or group of operations.

3- Symbol X is a document, that is, hard copy output of the validation

process. Thus, either an error report or the valid time card
information is represented by Symbol X.

4- Cylinder Shape: A cylinder on a flowchart is a hard drive or other

digital medium used for storage.

5- Parallelogram Shape ‫متوازي االضالع‬: A parallelogram represents input or output when the medium
is not specified.

6- Circle Shape: A circle on a flowchart is a connection between two points on the same page.

• A systems flowchart is a symbolic representation of the flow of documents and procedures through
a series of steps in the accounting process of the client’s organization.

• In documenting the procedures used by several interacting departments the internal auditor most
likely will use the Horizontal (or System) Flowchart.

Horizontal and Vertical Charts:

• A vertical flowchart displays step-by-step processes effectively, but it does not delineate the system’s
components as well. A vertical flowchart is usually designed to provide for written descriptions (more
room for written descriptions).

• A horizontal flowchart more clearly shows any inappropriate separation of duties and lack of
independent checks on performance. The steps performed by a function or department are presented
in the same column. (Brings into sharper focus the assignment of duties and independent checks on
performance)

A Systems Flowchart is a symbolic representation of the flow of documents and procedures through a
series of steps in the accounting process of the client’s organization. (Symbolic representation of a system
or series of sequential processes)
A Computer Program Flowchart is a pictorial presentation of the flow of instructions in a client’s internal
computer system (Pictorial presentation of the flow of instructions in a client’s internal computer system)

Subunit 2: Accounting Cycles and Associated Controls

• The attendance data and preparing the payroll must be separated to avoid the perpetration and
concealment of irregularities.

• The payroll department has a recording function. It should not authorize pay rate changes or the
addition or deletion of employees from the payroll. Accordingly, authorization of such changes
should be made by an individual outside the payroll department. Verification of payroll data should
also be made outside the department. Proper segregation of duties is critical in the prevention of
payroll fraud.

• Human resources department is responsible of adding and deletion of employees.

• Payroll department processes hours (Not preparing attendance data) and enters employee bank
account numbers.

• Paychecks are automatically deposited in the employee’s bank account.

Adding employees & Processes work hours & Delivering paychecks must be separated.

What Is an Inherent Limitation in The Internal Control?

Inherent limitations in internal control arise from mistakes in judgment, misunderstandings of

instructions, personnel carelessness, distraction, fatigue, collusion, perpetrations by
management, changing conditions, and deterioration of degrees of compliance. Thus, a control
based on segregation of functions may be overcome by collusion among two or more employees.

• Segregation of payroll preparation and maintenance of year-to-date records is NOT required, as

most companies have their payrolls prepared by the same individuals who maintain the year-to-date
records. There is no need for this segregation of functions because both duties involve
recordkeeping.

• The payroll department is responsible for assembling payroll information (recordkeeping).

• Preparing Attendance data are accumulated by the timekeeping function. Preparing the payroll is
a payroll department function. For control purposes, these two functions should be separated to avoid
the perpetration and concealment of irregularities.

• The personnel department (human resources department) is responsible for authorizing and
executing employee transactions such as hiring, firing, and changes in pay rates and deductions.

Segregating these functions helps prevent fraud. Thus, the payroll for each period should be
compared with the active employment files of the personnel department.
Internal control over accounts receivable begins with a proper segregation of duties. Thus,

• The cashier, who performs an asset custody function, should not be involved in recordkeeping.
• Accounts should be periodically confirmed by an auditor.
• Delinquent accounts should be reviewed by the head of accounts receivable and the credit manager.
• Customer statements should be mailed monthly by the accounts receivable department without
allowing access to the statements by employees of the cashier’s department.
• The sales manager should not be the only person to review delinquent accounts because (s)he
may have an interest in not declaring an account uncollectible.

Subunit 3: Management Controls

Examples of control weakness over safeguard or Assets:

1- Lack of background checks for employees hired for sensitive positions.

2- Failure to take corrective action on past engagement observations relating to safeguarding of assets.

• Management can best strengthen internal control over the custody of inventory stored in an off-
site warehouse by implementing regular reconciliation of physical inventories to accounting
records.

A detective control that will reveal, on a regular basis, any discrepancies between the inventory
records and the actual inventory on hand (off-site warehouse) is needed. Periodic comparison
of the recorded accountability for inventory with the actual physical inventory will accomplish this.

Which of the following would minimize defects in finished goods caused by poor quality raw
materials?

Required material specifications for all purchases.

A preventive control is required in this situation, i.e., one that ensures an unwanted event does not take
place. The most cost-effective way of achieving the goal is to keep poor quality raw materials from
entering the warehouse to begin with. Of the controls listed, only required specifications will
accomplish this.
Unit 7: Fraud Risks and Controls | Subunit 1: Fraud -- Risks and Types

• Fraud is defined in The IIA Glossary as “any illegal act characterized by deceit, concealment, or
violation of trust. These acts are not dependent upon the threat of violence or physical force.”
(Intentional deception)
• The internal auditor should have sufficient knowledge to identify the indicators of fraud but is
not expected to be an expert.

• Living beyond one’s means has been linked to Employee Fraud (embezzlement), NOT to
Financial Statement Fraud.

• An increase in sales far out of proportion to the increase in cost of goods sold is an indicator
of possible fraud. Increases in sales are usually accompanied by close to proportional increases
in cost of goods sold.
Example: A trend analysis discloses sales increases of 50% and cost of goods sold increases of
25%.

The following are some factors (red flags) which are generally associated with Management fraud:
- Generous reward systems provide incentives for management to distort performance.
- A domineering management: Pressure from superiors provides an incentive for management to
distort performance.
- A management preoccupation with Increased Financial Performance provides an incentive for
managers to distort performance.
- Ineffective controls on comparison of actual results with budgets

• The internal audit activity is responsible for Examining and evaluating the adequacy and
effectiveness of that Preventing Fraud Division’s actions taken to prevent fraud.
• An internal auditor’s responsibilities for detecting fraud include evaluating fraud indicators and
deciding whether any additional action is necessary or whether an investigation should be
recommended.

• Internal auditors are more likely to detect fraud by developing/strengthening their ability to
Recognize and question changes that occur in organizations.

• Trusting an employee completely is an example of opportunity to commit fraud.

• A manager continually handles the most pressing issues of an organization is an opportunity

for the manager to commit fraud.
• Situational Pressure: Financial difficulties create situational pressures or temptations that may
contribute to fraud. These situational pressures result from high personal indebtedness, extravagant
lifestyles, gambling problems, etc.

• Rationalization occurs when a person attributes his or her actions to rational and creditable motives
without analysis of one’s true and especially unconscious motives. Feeling that one is not being
paid as much as one is worth is a common rationalization for low-level fraud.
• Tampering with accounting records is a document symptom. The indicator of fraud consists of
the changes in actual company records.

• Check Tampering is a scheme in which an employee steals company funds by intercepting, forging
or altering a check drawn on one of the organization’s bank accounts.

• An employee was living beyond his means. The change in lifestyle was a symptom that
indicated the presence of fraud.
• A drastic change )‫ (تغيير جذري‬in an employee’s behavior may indicate the presence of fraud. The guilt
and the other forms of stress associated with perpetrating and concealing the fraud may induce
noticeable changes in behavior (Behavioral symptom).

• Skimming: is a theft of cash before the accounting entry is recorded. Examples include accepting
payment from a customer but not reporting the sale or overcharging the customer for the sale
and keeping the difference. Skimming is very difficult to detect as there is no audit trail.

• Tax evasion: The illegal nonpayment or underpayment of tax is considered tax evasion.
Intentionally falsifying a tax return, failing to remit taxes, and failing to report taxes are examples.

• Payment fraud: involves payment for fictitious goods or services, overstatement of invoices,
or use of invoices for personal reasons.
• Payroll fraud is a false claim for compensation. It can include, for example, falsifying timesheets,
claiming overtime for hours not worked, and payments to fictitious or terminated employees.

• Asset misappropriation fraud is stealing cash or other assets, such as supplies, inventory,
equipment, and information. The theft may be concealed by adjusting records.

• Wrongful use of confidential or proprietary information is considered fraudulent. Confidential or

proprietary information can often be the organization’s most valued asset. Because of this, employees
are routinely asked to sign confidentiality agreements as a condition of their employment.
• Diversion fraud involves a third party and redirects to an employee or outsider a transaction that
normally benefits the organization.
For example, accounts payable receives a phone call from an impostor, pretending to be from one of
the organization’s vendors. The impostor gives new payment instructions to accounts payable
and redirects future organization payments.

• Expense reimbursement fraud is when payment is made for fictitious or inflated expenses, for
example, when an employee submits an expense report that includes personal travel, nonexistent
meals, or extra mileage.

• Check Kiting: A check kiting scheme requires two accounts and usually involves several
accounts at several banks. The nonexistent cash is constantly moved from one bank to another,
rotating in a circular fashion.
 Using electronic fund transfer and other networked computer safeguards make electronic
kiting difficult.
Check kiting exploits ‫ تستغل‬the float time between the deposit of the check and the check
clearing the bank. At one time, float times ranged from 2 days to 10 days. Technology has resulted
in drastically reduced float times.

• The internal auditor should extend tests to determine the extent of fraud are performed after the
fraud has in fact been determined, not suspected.

• Fraud awareness training support fraud prevention by Limits (Minimize) Rationalization by:
- Supporting the ethical tone at the top
- Promoting an anti-fraud environment
- Emphasizing that the organization does not tolerate misconduct of any kind.

The Following Control Procedures Are Important in Preventing Computer Fraud:

- Testing of new applications by users is one of the most important controls to help prevent
computer fraud. (Testing of new applications by users during the systems development process)
- Adequate control over program changes is one of the most important control procedures in a
computerized environment. Programmers should not have access to operational progress,
and librarians should not be able to program. (Segregation of duties between the applications
programmer and the program librarian function).
- A program should be redesigned using a working copy, not the version in use. (Program change
control requiring a distinction between production programs and test programs)
Segregation of duties between the programmer and systems analyst is the least important to
prevent computer fraud. (Programmer-analyst is a common job title)
Segregation of duties between the programmer and operating systems and compilers is not
required to prevent computer fraud.

• If a purchasing agent may acquire items for personal use with the Company’s funds (purchasing
specified amount per day in open-ended contracts), as he can issue purchase orders and receiving
slips, then the auditor may detect this fraud by performing a trend analysis of printing supplies
expenses for the last 2 years period, as it will identify an excess use of supplies.
Also, as an engagement procedure to detect this kind of fraud, the auditor needs to check a
sample of paid invoices and verify the receipt of services or goods by the department
involved.

• In order to minimize the fraudulent use of the organization credit card, it will be treated like
normal cash by following the same expenses controls used in expense forms. (The problem
of charging the organization for unauthorized expenditures is the same for any type of expense
account, whether credit card or cash. Thus, normal expense controls should preclude credit card
fraud by employees).
Having a written policy describing prohibited activities and the action required whenever
violations are discovered will help to prevent fraud, if the auditor fail to report the absence of this
policy, he is considered not properly fulfilled his responsibility of the prevention of fraud.

The purchasing agent should NOT match the vendor invoice, receiving slip, and purchase order, in order
to decrease the likelihood of fraud, both the receiving reports and the vendors’ invoices must be sent
directly to accounts payable department.

In order to prevent or detect a fraud of continuing to submit fraudulent invoices from the old supplier
since contracting for services and approval of supplier invoices had been delegated to him:

- Comparison by the person signing checks of invoices with an independent verification of services
received.
- Requiring authorization of payments by someone other than who negotiating the contract.
- Budget preparation by someone other than the person signing contracts and approving
payment.

The least likely to prevent of detect such fraud is to segregate of duties between mailing of venders
checks and the one who is responsible to sign the check and approve the invoice.

One way to reduce the risk of the addition of fictitious employees to the payroll is to perform
periodic floor checks of employees on the payroll. (To make a period comparison of the names of the
payroll with persons observed working for the company. Observation of payroll distribution is such a
control).
Study Unit 7: Fraud Risks and Controls | Subunit 3: Fraud – Investigation

FRAUD INVESTIGATIONS:
When conducting fraud investigations, internal auditors or others should assess the level of, and the
extent of complicity in, the fraud within the organization. This assessment can be critical to ensuring
that:
(1) Crucial evidence is not tainted or destroyed.
(2) Misleading information is not obtained from persons who may be involved.

If internal auditing has concluded that an employee has stolen a significant amount of cash
receipts. A draft of the proposed communication on this observation should be submitted for review to
legal counsel. The board should receive a final draft of the report after it has been reviewed and
approved by legal counsel.
If appropriate, the CEO may receive a final draft of the report after it has been reviewed and
approved by legal counsel.

The distinguishing characteristic of forensic auditing is the knowledge needed to testify as an

expert witness in a court of law. Although a forensic auditor may possess the other attributes listed, the
organization’s information systems auditor may also possess these skills or knowledge elements.
(Forensic Auditor would have Knowledge of what constitutes evidence acceptable in a court of
law)

Forensic Auditing relies more heavily on investigative skills; Forensic auditing requires
investigative and accounting skills. The investigative skills are required to collect, analyze, and
evaluate financial evidence. These skills differentiate forensic auditing from internal auditing.

Attempt to get the suspected individual to confess is the least likely approach to be used in an
investigation.

* * *

The End of CIA Part 1

Tarek Jabri