1 Foundations of Internal Auditing (35%) Flashcards by Nurul Azlina binti Mukhtarizan

Describe the Purpose of Internal Auditing according to the Global Internal Audit Standards

Foundations of Internal Auditing

May include but is not limited to:
a. Explain the overall objectives and benefits of the internal audit function
🛡️ OVERALL OBJECTIVES → 🎯 BENEFITS

🛡️ OVERALL OBJECTIVES
Internal auditing helps the organization:
➡️ Create, protect, and sustain value
➡️ By providing:
✔️ Independent
✔️ Risk-based
✔️ Objective assurance, advice, insight, foresight

🎯 BENEFITS
Internal audit enhance:
* 🎯Achievement of objectives
* 🏛️ Governance, risk & controls
* 🧠 Decision-making & oversight
* 🤝 Stakeholder trust
* 🌍 Public interest service

Domain I: Purpose of Internal Auditing, pg 15 of GIAS

How well did you know this?

Not at all

Perfectly

Describe the Purpose of Internal Auditing according to the Global Internal Audit Standards

Foundations of Internal Auditing

May include but is not limited to:
b. Describe the conditions that contribute to the effectiveness of the internal
audit function
✅ CONDITIONS FOR EFFECTIVENESS

✅ CONDITIONS FOR EFFECTIVENESS
* 👩‍💼 Performed by competent professionals (follow GIAS)
* 📊 Independent – reports to the board
* ⚖️ Free from undue influence – always objective

Domain I: Purpose of Internal Auditing, pg 15 of GIAS

How well did you know this?

Not at all

Perfectly

Explain the internal audit mandate and responsibilities of the board and chief audit executive

Foundations of Internal Auditing

May include but is not limited to:
i. Describe the authority, role, and responsibilities of the internal audit function

IMPLEMENTATION
🔑 Authority
🎯 Role
📋 Responsibilities

🔑 Authority
👑 Given by the board
📜 Written in the charter
🚪 Full access to 🗂️ records, 👥 people & 🏢 locations
📣 Reports directly to the 🏛️ board

🎯 Role
🛡️ Provide assurance
💡 Offer advisory insights
🧰 Use a structured approach
🔄 May help in 🧮 risk mgt or 📏 compliance too (nonaudit roles)

📋 Responsibilities
✅ Follow 🌍 IIA Standards
📤 Report to 🏛️ board & 🧑‍💼 management
⚖️ Ensure 📚 compliance
🔧 Recommend better 🏗️ governance, 🧩 risk & 🔐 controls
🎯 Support the org’s 🏆 goals

Domain III: Governing the Internal Audit Function > Principle 6 Authorized by the Board > Standard 6.1 Internal Audit Mandate > Considerations for Implementation, pg 40 of GIAS

How well did you know this?

Not at all

Perfectly

Explain the internal audit mandate and responsibilities of the board and chief audit executive

Foundations of Internal Auditing

May include but is not limited to:
ii. Explain the role of the chief audit executive in helping the board establish or update the internal audit mandate

Internal audit mandate

👤 CAE provides info to the board & senior mgmt to establish the mandate
📜 Must document or refer to the mandate in the board-approved charter
⚖️ If required by law, mandate must include legal obligations
🤝 Works with internal & external assurance providers to define roles
🔄 Regularly assesses if changes in the org require updating the mandate
🎯 Ensures the audit function continues to support goals & strategy

Domain III: Governing the Internal Audit Function > Principle 6 Authorized by the Board > Standard 6.1 Internal Audit Mandate, pg 40-41 of GIAS

How well did you know this?

Not at all

Perfectly

Explain the internal audit mandate and responsibilities of the board and chief audit executive

Foundations of Internal Auditing

May include but is not limited to:
iii. Explain the role of the board and senior management in determining the authority, role, and responsibilities of the internal audit function
- Internal audit mandate

👥 The board must:
🔹 Talk with the CAE and upper management about internal audit’s authority, functions & duties
🔹 ✅ Approve the internal audit charter – including the mandate, scope, and types of services

🏢 Senior management must:
🔹 🤝 Join discussions with the board & CAE to define internal audit’s mission
🔹 📣 Promote and support internal audit’s role across the organization

Domain III: Governing the Internal Audit Function > Principle 6 Authorized by the Board > Standard 6.1 Internal Audit Mandate > Essential Conditions, pg 40 of GIAS

How well did you know this?

Not at all

Perfectly

Recognize the requirements of an internal audit charter

Foundations of Internal Auditing

May include but is not limited to:
a. Identify components required by the Global Internal Audit Standards
1️⃣ 🎯 Purpose 2️⃣ 📏 Standards 3️⃣ 🛡️ Mandate 4️⃣ 🏛 Position

1️⃣ 🎯 Purpose of Internal Auditing
– Why internal audit exists in the organization

2️⃣ 📏 Commitment to Standards
– Adheres to Global Internal Audit Standards™

3️⃣ 🛡️ Mandate
– Scope & types of services (e.g., assurance/advisory)
– Board’s responsibilities & mgmt support
– Legal/regulatory basis (if applicable)

4️⃣ 🏛 Organizational Position & Reporting
– Reporting lines of CAE
– functionally to the board, administratively to senior mgt
– Independence & authority to access info/personnel

📍 Ref: Std 6.2 – IA Charter (p.42)

How well did you know this?

Not at all

Perfectly

Recognize the requirements of an internal audit charter

Foundations of Internal Auditing

May include but is not limited to:
b. Recognize the importance of discussing the charter with the board and senior management

👥 Board:
🔹 🗣️ Discuss charter content with CAE & mgmt
🔹 ✅ Endorse IA charter (purpose, services)
🔹 🔁 Review & update charter when needed (e.g., new CAE, new risks, advisory role)

🏢 Senior Mgmt:
🔹 📩 Share expectations with board & CAE for charter updates

📍 Ref: Global Standards 6.2 – Internal Audit Charter (p.42)

How well did you know this?

Not at all

Perfectly

Recognize the requirements of an internal audit charter

Foundations of Internal Auditing

May include but is not limited to:
c. Recognize the importance of board approval

🏛 Board must approve IA charter to:
✅ Confirm IA authority & independence
– Charter defines access & reporting lines
📜Formalize IA’s role, scope & services
– Charter sets what IA does (e.g., assurance, advisory)
🛡️ Ensure alignment with org needs & Standards
– Charter commits to Global IA Standards + org goals

KIV

📍 Ref: Standard 6.2 – IA Charter (p.44, Global Standards)
🗣️ “The board must approve the internal audit charter.”

How well did you know this?

Not at all

Perfectly

Interpret the differences between assurance services and advisory services provided by the internal audit function

Assurance Services I

May include but is not limited to:
a. Define assurance services
1. Definition
2. Purpose
3. Particpant
4. Scope
5. Evaluation
6. Engagemen
7. COSO
8. External auditor
9. Types of services

🔍 Assurance Services are evaluations by internal auditors to help organizations gain confidence in their:
✅ Governance
✅ Risk management
✅ Control processes

🎯 Purpose:
Help orgs create & maintain value by offering independent, objective assessments
✔️ Ensure operations are efficient
✔️ Comply with laws
✔️ Manage risks
✔️ Safeguard assets

👥 Key Participants:
* 👤 Process owner – person/group responsible for the activity
* 🕵️ Internal auditor – performs and evaluates
* 👥 User – uses the results for decision making

🧭Scope Includes:
* ⚙️ Operational efficiency
* 📊 Reporting reliability
* 📜 Compliance with laws
* 🛡️ Safeguarding of assets
* 🧠 Ethical culture

📏 Evaluation:
Auditors compare what is found vs expected
➡️ Identify issues
➡️ Report findings
➡️ Judge control effectiveness

🔍 Assurance Engagements = Internal audit assessments beyond financial statements, covering:
* 🧭 Governance – Board structures & processes for direction & oversight
* ⚠️ Risk Management – Identify, assess, manage, and monitor risks
* 🛠️ Control Processes – Policies/procedures to manage risks within tolerance

📚 COSO Definition of Internal Control:
“A process… to provide reasonable assurance (not absolute) of achieving objectives in:
1️⃣ Operations
2️⃣ Reporting
3️⃣ Compliance”

🎯 COSO Objectives:
* ⚙️ Operations: Efficiency, effectiveness, asset safeguarding
* 📈 Reporting: Reliability & transparency of financial/non-financial reports
* 📜 Compliance: Following laws, contracts, and policies

🧩 COSO Internal Control Components Reviewed in Engagements:
* 🧠 Control environment
* 🧱 Risk framework
* 🧾 Control activities
* 🔁 Info & communication
* 👁️ Monitoring

🤝Internal vs External Auditors
* External auditors 📊 = Audit financial statements
* Internal auditors 🕵️‍♀️ = Review internal controls, esp. over financial reporting
* Internal audit adds value via monthly reports:

📅 Management reporting

📊 Scorecards

🎯 KPIs

✅ External auditors may rely on internal audit work for efficiency & confidence

🔢 Three Types of Assurance Services:

1️⃣ Compliance Assurance
✔️ Ensures adherence to:
* 📜 Laws & regulations
* 🤝 Contracts
* 🧭 Policies (e.g., code of ethics)

2️⃣ Operational Assurance
📈 Evaluates process efficiency & effectiveness, e.g.:
* 🎯 Product quality
* 💬 Customer service
* 💵 Expense minimization
* 🛡️ Safeguarding assets
* 🌱 CSR/sustainability

3️⃣IT Assurance
💻 Focus on information integrity, e.g.:
* 🖥️ Computers & tech infrastructure
* 📱 Mobile devices
* 🛡️ IT governance

GIAS > Domain V: Performing Internal Audit Services, pg.92
Two way mapping 2017 & 2024 > glossary, pg.7
CIA part 1 SU2, page 2-4

How well did you know this?

Not at all

Perfectly

Interpret the differences between assurance services and advisory services provided by the internal audit function

Assurance Services I

May include but is not limited to:
b. Differentiate between limited and reasonable assurance
🃏 NATURE🃏TIMING🃏EXTENT

📉 Limited Assurance
➖ Lower confidence level
➖ Nature: Simpler, less detailed procedures (e.g., inquiries, limited analysis)
➖ Timing: May occur earlier or with fewer updates
➖ Extent: Narrow scope, fewer tests, smaller samples
✅ Suitable when rapid insight is needed with minimal disruption

📈 Reasonable Assurance
➕ Higher confidence level
➕ Nature: In-depth, often involves corroborative procedures (e.g., re-performance, observation)
➕ Timing: More current and ongoing testing
➕ Extent: Broader scope, more samples, more evidence collected
✅ Common for full-scope audits intended to support strong conclusions

GIAS > Glossary > assurance services, pg. 10
SU2 – CIA BookOnline > assurance engagement & COSO, page 3

How well did you know this?

Not at all

Perfectly

Interpret the differences between assurance services and advisory services provided by the internal audit function

Advisory Services

May include but is not limited to:
c. Define advisory services
1. Definition
2. Types
3. Value added services

🧠 Advisory Services = Specialized consultations to help improve operations
❗ No assurance given & no management responsibility taken
🗣️ Help stakeholders via:
* 💬 Risk discussions
* 💡 Process/policy design
* 🕵️ Investigations
* 📚 Training
* 🧭 Guidance (to mgmt or board)

🤝 Based on agreement with stakeholders (e.g., board or mgmt)
⚠️ Should not replace assurance work unless clearly more suitable

📂 Types of Advisory Services:

1️⃣ 📄 Formal Advisory –
* Planned & documented in writing

2️⃣ 💼 Informal Advisory –
* Routine activities:

👥 Committees

📆 Ad-hoc meetings

🔁 Info exchange

3️⃣ 🔍 Special Advisory –
* Mergers, acquisitions, system conversions

4️⃣ 🚨 Emergency Advisory –
* Post-crisis recovery / urgent support

🌪️ Disasters

⏳ Time-sensitive needs

🎓 Educational – Internal auditors share specialized knowledge
🧠 Facilitative – IA guides mgmt/staff in assessing & solving issues

📑 Note:
🖊️ The nature and scope of the advisory service is:
* Agreed with activity’s management 🤝
* Must follow ✍️ the internal audit charter

🌟 Value of Advisory Services
They support the 🌍 Purpose of Internal Auditing by providing:
* 🎯 Independent & objective advice
* 🧭 Insight & foresight
* 💬 Forward-looking guidance
* 💡 High-impact support to business mgmt

🧠 Add value via:
* ✅ Trusted advisor role
* 🔁 Enhancing decisions & risk responses

🤝 Audit Activities Beyond Assurance & Advice
Advisory ≠ Assurance – but both can exist together!
* 🕵️ Internal audit may also do investigations, training, etc.

🔀 Interrelationship of Assurance & Advisory
* A blended engagement may mix both types
* Internal audit charter 📝 should define this
* 🎓 Due care is vital to keep independence & objectivity

📋 Examples of Empowered Advisory Roles:
* 🛠️ System development analysis
* 🔐 Security product review
* 🧪 Task forces for special ops

🧠 Objectivity in Advisory Services
* Internal auditors 🚫 do not make management decisions
* 🎯 Must avoid assuming management roles
* ✅ If CAE takes on extra duties, implement safeguards to protect independence

🗣️ Communication of Fundamental Information
* Advisory outputs must support:
1️⃣ Operational efficiency
2️⃣ Reliable reporting
3️⃣ Legal & regulatory compliance
4️⃣ Safeguarding assets
5️⃣ Ethical culture

📤 CAE decides what info should be shared with executives & board

👥 Formal Advisory Services: In-house vs External
* 🧑‍💼 Internal audit = better org knowledge, cheaper
* 🌍 External consultants = better niche expertise
* 🤝 Collaboration may be needed for specialized skills

⚖️ Criteria for Conflicts or Evolving Issues
* Follow 🧭 IIA Global Internal Audit Standards
* Resolve any activity conflict by conforming to Topical Requirements

GIAS > Domain V: Performing
Internal Audit Services, pg. 92
SU 4: Advisory services > oveview, page 2-4

How well did you know this?

Not at all

Perfectly

Interpret the differences between assurance services and advisory services provided by the internal audit function

Advisory Services

May include but is not limited to:
d. Describe how the nature and scope of advisory services are determined
1. Who determines the nature and scope
2. What factors are considered
3. How it may evolve during the engagement
4. Important boundaries and responsibilities

🧾 Nature & Scope
* The nature and scope of advisory services are 🤝 agreed upon with management of the activity under review.
* Must be ✅ consistent with the internal audit charter.

🧭 Scope of Work
* Based on:

📌 Objectives & scope from both internal audit & mgt jointly

🧠 Risk exposure significance

🛠️ Actions planned or taken

🎯 Expectations from mgmt & board

⚖️ Factors Considered Include:
* 💬 Needs & timing of management
* 🧩 Motivations for service
* 🧑‍💼 Skills & resources needed
* 📚 Past audit coverage
* 🔍 Effects on future audits

🔁 Adjusting Scope During Engagement:
* Internal audit may persuade mgmt to add extra objectives
* Can document if mgmt fails to pursue added objectives

🧠 Other Key Points:
* ❗ Avoid conflict of interest
* 🔄 Cooling-off period applies after advisory work
* 🧑‍⚖️ Must exercise due professional care in planning, performing, and communicating results
* 📤 Final communication includes results, not formal conclusions (unlike assurance)

GIAS Page 92 – Domain V: Performing Internal Audit Services
SU4: Advisory Services > Types of advisory services & scope of work, page 2-4

How well did you know this?

Not at all

Perfectly

Interpret the differences between assurance services and advisory services provided by the internal audit function

Assurance vs Advisory

May include but is not limited to:
e. Determine which type of service (assurance or advisory) is appropriate in a given context

✅ Assurance services are appropriate when:
🧭 Stakeholders (e.g., board) want independent, objective evaluations
📏 There are defined criteriato assess governance, risk, or control processes
📄 A formal conclusion or opinion is expected
💼 Auditor sets scope and objectives (not the client)

💡 Advisory services are appropriate when:
👥 Management requests guidance or input (e.g., on new systems or risks)
🤝 Scope and objectives are mutually agreed with the client
🔁 The auditor is not providing formal assurance or acting as management

🔀 Blended engagements may combine both types, but auditors must protect objectivity and independence🛡️

🟩 How they are structured (Two way Mapping, Intro-16 to 20)
⚖️ Assurance:
“3 parties: process owner, auditor, user” 👥

🤝 Advisory:
“2 parties: auditor + client” 👤
“Requested, agreed scope” 🗂️
No opinion 🚫

📚 CIA SU2 Assurance Services I > assurance services, page 2-4
📚 CIA SU4 Advisory services > overview & interrelationship of assurance and advisory services, page 2-3

How well did you know this?

Not at all

Perfectly

Describe the types of assurance services performed by the internal audit function

Assurance Services I 1x

May include but is not limited to:
a. Describe risk and control assessments
1. Def (purpose)
2. Involvement/ responsibilities
3. Role of internal auditor/ how internal auditor use CSA
4. Benefits/ outcomes, benefits & limitations
5. Methods/ 3 CSA (Workshop-facilitation, survey, self-certification)

1 🧠 CSA = A process where organizations assess ⚠️ risks & 🛡️ controls.
🎯 Purpose: Strengthen controls 🔒, raise risk awareness 🚨, and involve staff 👥 across the org.

2 Involvement:
👨‍🔧 All employee levels assess controls in their area.
👔 Senior Mgmt – Oversees setup, admin & evaluation of risk/control processes
🧑‍🔧 Operating Managers – Assess risks & controls in their areas
🕵️ Internal/External Auditors – Provide assurance on effectiveness

3🕵️ Internal auditors use CSA to support mgmt in evaluating ⚠️ risks & 🛡️ controls.
They may:
* 🛠️ Design & implement CSA
* 🎓 Conduct training
* ✍️ Provide scribes & facilitators
* 🤝 Coordinate team participation

👔 CAE ensures:
* 👁️ Objectivity of audit staff
* ⚖️ Bias is managed
* 🧪 Extra testing (if needed)

✅ CSA benefits:
* 📊 Broader control assessment
* ✅ Better corrective actions
* 🎯 Focus on high-risk areas
* 🔍 Validated insights
* 🧠 Synthesized org-wide info
* 📢 Clearer reporting to senior mgmt/board

4 ✅ Benefits:
* 🚨 Heightens risk awareness
* 🙋 Staff take ownership of controls
* ⏱️ Timely corrective action
* 📈 Improves audit planning & resource use
* 🔄 Promotes continuous monitoring & improvement

⚠️ Limitations:
* 🧑‍🏫 Staff may lack risk/control skills
* 🧩 Wrong CSA method = missed risks
* 🧪 Still needs audit validation for assurance

5 🧰CSA Approaches:
1️⃣ 👥 Workshop-Facilitation – Structured, in-person, collaborative
2️⃣ 📝 Survey – Questionnaire; fast but less interactive
3️⃣ ✍️ Self-Certification – Staff confirm control compliance

🌍 Choice depends on: industry, geography, structure, culture, employee empowerment, mgmt style, formulating strategies & policies.

🧑‍🏫 Workshop-Facilitation Formats:
🎯 Objective-based – focus on best way to accomplish biz obj.
⚠️ Risk-based – focus on risks achieving obj.
🛡️ Control-based – focus on how well ctrl in place are working
🔄 Process-based – focus on selected activities of a chain of processes.

📝 Survey Approach
* Uses yes/no or “have/have not” questionnaires
* 👍 Useful when participants are too many or spread out
* 🤐 Preferred when open discussion is limited or cost/time must be minimized

✍️ Self-Certification Approach
* Based on mgmt’s analysis of processes, risks & controls
* 🧠 Helps teams make timely judgments
* 🔄 Auditors may use this with other info for assurance
* 🧱 Often uses COSO or other frameworks for structure

CIA SU2 > Risk & Control Self Assessment, pg 5-10

How well did you know this?

Not at all

Perfectly

Describe the types of assurance services performed by the internal audit function

Assurance Services I 1x

May include but is not limited to:
b. Describe third-party and contract compliance audits
1 External biz r/ship
2 Auditing external biz r/ship
3 3rd party audit
4 Contract auditing
5 Engagement timeline
6 Source code escrow clause

1 🔍 Internal auditors assess third-party risks to protect against:
* 💸 Financial loss
* ⚠️ Operational issues
* 🧯 Reputational harm

✅ They ensure partnerships:
* 📜 Follow contracts
* 🧠 Provide value > risk
* 📊 Support business goals

🌐 Types of EBRs:
* 👨‍💼 Service providers
* 🏭 Supply/demand-side partners
* 🤝 Joint ventures
* 💡 IP licensors

⚠️ Risks include:
* 🚫 Non-compliance or fraud
* 📉 Poor service/performance
* 🧾 Contractual conflicts
* 🔐 Data/privacy issues
* 💥 Insolvency

2 🔍 Auditors must understand:
* 🧾 How the EBR began & is managed
* 🎯 Objectives, risks, and contract terms
* 🧑‍⚖️ Right to audit & termination clauses

🛠️ Audit activities include:
* 🧠 Understand relationship & processes
* ⚠️ Assess risks & controls
* 📊 Perform the audit (site work, results, conclusions)
* 📝 Report to mgmt/board
* 🔁 Monitor progress & follow up

🎯 Goals: limit fraud, boost trust, fix gaps, and improve relationships 🤝

3 🔍 Third-Party Audits = Assess controls for outsourced services (e.g., ESPs)
* 🧾 Use SOC reports (Type 1, Type 2, or SOC 3)
* ✅ May include ISO 9000 audits or certification checks
* 🔄 Coordinate with 3rd parties to avoid duplication

4🛠️ Contract Auditing = Review if both parties meet contract terms
* 🔍 Used for construction & services contracts
* 🔢 Contract types:

💰 Lump-sum (fixed price)

➕ Cost-plus (cost + fee)

📏 Unit-price (based on measurable work units)

5 📅 Engagement Timeline:
Auditors should review contracts early — not just during performance!
Check:
* 🏷️ Bidding procedures
* 💸 Cost control & budget forecasts
* 📊 Contractor systems & financial position
* 💰 Funding & tax issues
* 🏗️ Project progress & costs

6 💾 Source Code Escrow Clause:
For software contracts, auditors should recommend a clause that:
🔐 Holds source code in escrow with a 3rd party in case vendor fails

📘GIAS > Glossary, pg. 10
Standard 13.4 Evaluation Criteria, pg. 100

How well did you know this?

Not at all

Perfectly

Describe the types of assurance services performed by the internal audit function

Assurance Services I 1x

May include but is not limited to:
c. Describe IT security and privacy audits
1 Security auditing
2 Info security auditing
3 Privacy auditing

Study These Flashcards

1 🔐 Security Auditing
= Reviews how well controls protect both IT & non-IT assets (e.g., people, facilities)
🕵️ Internal audit evaluates design & effectiveness of all security controls

2 💻 Information Security Auditing
= Focuses on risks from IT systems & data access
👨‍💻 Auditors assess risks, monitor corrective actions, and evaluate IT controls
🤝 May advise on system security, working with IT teams & mgmt

🧠 Understanding ctrl processes:
* Understand risks ⚠️ and control design 🔧
* Evaluate frameworks & test effectiveness
* Review policies, roles, training, and enforcement 📋

🔐 Privacy consideration:
* Check handling of personal info 🧑‍💻
* Assess collection, retention, sharing & legal use 📜
* Ensure privacy controls meet laws & protect data

📊 Info Reliability & integrity:
* Validate data accuracy, completeness & security 🔍
* Check if controls ensure trustworthy reporting ✅

3 🔐 Privacy Auditing
Audits protect personal info to prevent legal risks ⚖️ and reputational harm 📉, especially due to digital threats 🌐.

🧠 What is Privacy?
Privacy = protection of:
* 👤 Personal space & thoughts
* 🏠 Physical space (freedom from surveillance)
* 💬 Communication (freedom from monitoring)
* 📂 Information (collection, use & disclosure)

🧾 Personal Info (PII) includes:
Name, ID numbers, family info, job evaluations, credit & health records 💳🏥.

🕵️ Use of Personal Info in Engagements
Auditors must:
* ✅ Use PII only for audit purposes
* 📜 Follow laws & consent rules
* 🔐 Avoid misuse, access only what’s permitted
* 👨‍⚖️ Seek legal advice if unsure

🤐 Ethical Requirements – IIA Principle 5
“Internal auditors use and protect info appropriately”:
* Use info only for professional reasons
* Respect ownership & safeguard against unauthorized access 🚫

Standard 5.2 Protection of Information > Requirement, pg. 35
Standard 5.2 Protection of Information > Considerations for Implementation, pg. 36

Describe the types of assurance services performed by the internal audit function

Assurance Services I

Assurance Services I 2x

May include but is not limited to:
d. Describe performance and quality audits
1 Performance assurance engagement
2 Balance scorecard
3 SWOT
4 Quality audits

Study These Flashcards

1 📊 Performance Audits evaluate how well an org meets objectives, stays on track 🎯, and uses resources efficiently 💡.

🧠 Performance Assurance Engagements assess an org’s ability to:
1️⃣ Measure performance
2️⃣ Spot deficiencies ⚠️
3️⃣ Take corrective action 🛠️
4️⃣ Achieve target performance 🎯

📏 Requires:
* Clear expectations
* Measurable results 📈
* Feedback for improvement 🔄

🔄 Audit may review:
* Org structure 🏢
* Control environment 🛡️
* KPIs vs. criteria 📋
🔍 Using tools like:
* Balanced scorecards
* SWOT analysis 🧭
* Mgmt control evaluation

2 📊 Balanced Scorecard = A performance tool linking strategy to measurable outcomes.
🎯 Purpose: Balance (1) long- vs. short-term & (2) financial vs. non-financial goals.

🧠 Must:
* Be tied to strategy
* Involve mgmt
* Include specific, reliable KPIs
* Avoid trade-offs that harm overall results

🔍 4 Perspectives:
1️⃣ 💰 Financial – Sales, stock value, profits, liquidity
2️⃣ 🧍‍♂️ Customer – Retention, satisfaction, delivery, quality
3️⃣ ⚙️ Internal – Process quality, efficiency, flexibility, safety
4️⃣ 🚀 Learning/Growth – Innovation, morale, training, HR dev

3 📊 SWOT Analysis = Evaluates:
* 💪 Strengths – Internal advantages (e.g., tech, product mix, R&D, mgmt)
* 💔 Weaknesses – Internal gaps or lack of resources
* 🌟 Opportunities – External chances for growth (e.g., tech, gov’t shifts)
* ⚠️ Threats – External risks (e.g., competitors, rivalry, substitutes)

🎯 Helps shape strategy by focusing on:
1️⃣ Cost 💰
2️⃣ Quality ✅
3️⃣ Speed of development/delivery ⚡

4 🛠️ Quality Auditing ensures processes meet quality standards
🔍 Focus = prevention, not just detection of defects

🌀 Uses TQM (Total Quality Management) =
* 💡 Do it right the first time
* 👥 Train & empower employees
* 🤝 Promote teamwork & sharing ideas
* 🔁 Improve processes continuously
* 🎯 Meet customer needs (internal & external)

📏 Quality perspectives include:
* Product attributes
* Customer satisfaction 😊
* Conformance to specs 📦
* Value (quality vs price) 💰

Standard 12.2 Performance Measurement, pg. 88
Standard 8.3 Quality, pg. 55

Describe the types of assurance services performed by the internal audit function

Assurance Services II 3x

May include but is not limited to:
e. Describeoperational, financial, and regulatory compliance audits

OPERATIONAL AUDITING
1 Operational audit engagements

FINANCIAL AUDITS
1 Fin st. & corp. governance
2 Mgt’s assertions
3 Key risks
4 Accounting cycles
5 Fraud risk

COMPLIANCE AUDITING
1 Compliance
2 Compliance programs
3 Organizational standards & procedures
4 Responsibility
5 Applicant screening
6 Communication
7 Monitoring & reporting

Study These Flashcards

OPERATIONAL AUDITING
1⚙️ Operational Auditing = Assesses efficiency & effectiveness of operations
🔍 Focus on how well org units function & cooperate across locations

🧩 Types of engagements:
1️⃣ Process (Functional) – Covers:
* 🛒 Purchasing
* 📦 Distribution
* 🔧 Product mods
* 🦺 Safety
* 🗑️ Scrap handling
* 📊 Budgeting
* 📣 Marketing
* 🏚️ Asset mgmt

2️⃣ Program-Results – Evaluate program costs, outcomes, success ✅
* Often used for new projects or systems
* Must define clear objectives early 📝

📏 Measures used:
* ⚖️ Productivity ratio
* 🔁 Productivity index
* 🔋 Resource usage rate
* 📉 Operating ratio

FINANCIAL AUDITS
1 💼 Financial Statements & Governance
* Auditors assess financial accuracy, policy compliance, & mgmt responsibility
* Look at board/audit committee oversight 🧑‍⚖️
* Identify risk of fraud, misstatement, or control failure ⚠️

2 🧾 Management’s Assertions
* Mgmt makes claims on valuation, completeness, & accuracy
* Auditors verify if controls support these assertions ✅

3 🚨 Key Risks
* Errors in recording & reporting
* Complex estimates or subjective areas
* Mgmt override, fraud, or outdated systems 📉

4 🔁 Accounting Cycles = Groupings of related financial transactions auditors must evaluate:
* 💸 Revenue & cash – Sales, receipts, returns, write-offs
* 🛒 Procurement – POs, payables, receiving, disbursements
* 💼 Capital & financing – Loans, equity, interest, dividends
* 👷 Payroll – Timekeeping, pay, taxes, withholdings
* 🧾 Reporting – Journal entries, trial balances, adjustments

5 ⚠️ Fraud Risk
* 🧠 Auditors assess if F/S are fairly stated
* 🕵️ Watch for fraud in:

Reporting (intentional misstatements)

Asset misappropriation 💰

Corruption (e.g. bribery, conflict of interest)
* 🔎 Red flags: mgmt override, vague transactions, poor segregation of duties

COMPLIANCE AUDITING
1 📋 Compliance Auditing = Verifies org adherence to:
* 🧾 Policies
* 🛠️ Procedures
* ⚖️ Laws
* 📘 Regulations
* 🤝 Contracts

🔍 Internal auditors assess:
* Exposure to noncompliance risk
* 🎯 Effectiveness of compliance controls
* 🎓 Staff understanding of policies

2 🛡️ Compliance Programs help prevent:
* 🚫 Employee violations
* ⚠️ Ethics breaches
* 💸 Director liability
* 🧾 Regulatory penalties

3 🏛️ Org Standards & Procedures:
* Code of conduct 📜
* Disciplinary system ⚖️
* Global compliance programs 🌍

4 👤 Responsibility:
* Mgmt must support & model compliance
* CAE should report critical issues directly to the CEO ☎️

5 👤 Applicant Screening:
* Use background checks to avoid hiring risky individuals 🧾
* Screen for red flags like fraud, criminal history, or policy violations 🚫

6 📢 Communication:
* Publish clear conduct policies 📄
* Train employees via videos, posters, e-learning 🧑‍🏫
* Emphasize tone at the top (mgmt must model compliance) 🗣️
* Distribute code of conduct & require acknowledgment 📝

7 🛰️ Monitoring & Reporting:
* Use internal audits & hotlines 📞
* Track incidents like:

Misuse of assets

Bribes or kickbacks 💰

Lack of training

Retaliation or failure to report 🚫
* Ask: “Do you know of any misconduct?” 👀

🔚 Termination Procedures:
* Ensure fair and legal processes ⚖️
* Document reasons clearly ✍️
* Remove system access & collect assets 🖥️🗝️
* Consider notifying regulatory bodies if required 📩

Standard 9.1 – Understanding Governance, Risk Management, and Control Processes, pg. 61

Describe the types of assurance services performed by the internal audit function

Assurance Services II 1x

May include but is not limited to:
f. Describe audits of organizational culture

1 Introduction
2 Risk assessment
3 Planning the culture assurance engagement
4 Performing the engagement
5 Reporting

Study These Flashcards

1 🏢 Organizational Culture Audit = Evaluates how shared values, beliefs, & behaviors affect strategy & controls.

🧠 Culture includes:
* Invisible beliefs, norms, & assumptions
* Observable actions & decisions 👥

📈 Strong cultures = better performance, innovation, & morale
⚠️ Weak or toxic cultures = fraud risk, poor ethics, high turnover

✅ Benefits of strong culture:
* 🚀 High motivation & productivity
* 📣 Open communication
* 🧠 Innovation & collaboration
* 🌐 Alignment with goals

🕵️ Auditors assess how culture affects internal controls & risk tone

2 🧠 Risk Assessment guides how the CAE audits culture.
Follows IIA Standards:
* 🔍 Understand strategy, governance, & objectives
* 📊 Identify & assess cultural risks
* ⚠️ Evaluate tone at the top & alignment with org values
* 📋 Determine how culture impacts risk response & decisions

🚨 Culture Risk Factors:
* Weak ethics/whistleblower support ❌
* Misaligned values or unclear purpose
* 🗣️ Groupthink or fear of speaking up
* 📉 Lack of accountability & integrity

✅ Healthy Culture Traits:
* Clear values
* Open dialogue 🗨️
* Strong ethics & teamwork 🤝

3 🗂️ Planning:
Choose an approach:
1️⃣ Integrate with other audits
2️⃣ Target culture-sensitive processes
3️⃣ Deep-dive into risk areas 🔍

Focus areas may include:
* Ethical breaches 🚫
* Whistleblower protection 📢
* Training effectiveness 🧠
* Tone at the top 🎙️

3 🎯 Performing the Engagement:
Review:
* 🧑‍💼 Turnover & grievances
* 🧾 Exit interviews
* 📉 Ethics hotline data
* Absenteeism trends

📥 Gathering Info:
Sources = interviews, surveys, focus groups, policies, training docs
Use both subjective insights and data analytics 📊

5 📝 Reporting:
Summarize the scope, methods, findings & recommendations 📄

Standard 1.2 Organizational’s Ethical Expectation, pg. 18

Describe the types of assurance services performed by the internal audit function

Assurance Services II 1x

May include but is not limited to:
g. Describe audits of the management reporting process

Study These Flashcards

📊 Management Reporting = Internal reports that support decision-making & monitor performance

🧩 Purposes:
* 🎯 Monitor KPIs & project milestones
* 📈 Compare benchmarks
* 👥 Communicate results to stakeholders
* 🧠 Support decisions with relevant info
* 🔍 Identify problems & opportunities

📃 Common Reports:
* 💰 Financial & cash
* 🏗️ Project status
* 🧑 Personnel
* ✅ Compliance
* 📊 Variance & performance
* 💻 Systems & internal audit

🔒 Reports are internal-only, not GAAP-based, and tailored for mgmt use

🕵️ Internal audit reviews:
* Accuracy ✔️
* Relevance to goals 🎯
* Timeliness and clarity 📅

Standard 13.4 Evaluation Criteria, pg. 100
Standard 14.2 Analyses and Potential Engagement Findings, pg. 105
Standard 14.5 Engagement Conclusions, pg. 110

Describe the types of advisory services performed by the internal audit function

Other Advisory Services

May include but is not limited to:
a. Describe the internal auditor’s role in providing risk and control training
- Risk awareness & controls training

Study These Flashcards

🧠 Internal auditors helps employees understand risks 🎯 & related controls 🛡️

👥 Auditors support training via:
1️⃣ Control Self-Assessment (CSA)
* Teaches staff to assess risks & controls
* 🎯 Increases chance of meeting business goals

2️⃣ Ethical Culture
* Part of governance 🏛️
* Auditors may act as ethics counselor or expert 🤝
* Supports soft controls like values & integrity

📄 Source:
GIAS 2024, Page 92 – Domain V: Performing Internal Audit Services (Introduction)

Describe the types of advisory services performed by the internal audit function

Other Advisory Services

May include but is not limited to:
b. Describe the internal auditor’s role in system design and development
- System development reviews

Study These Flashcards

💻 System Development Review = Evaluates processes/controls in creating or acquiring new systems.

🧑‍💼 Auditor’s Role:
* Ensure controls & audit trails are built into the system 🧩
* Provide independent input throughout the project 🔁
* Identify key risks early ⚠️
* Confirm alignment with user needs ✅
* Track progress & test functions thoroughly 🧪
* Oversee change management and maintenance 🔧

📋 Good practices:
* Clearly record user needs 🗂️
* Follow planned design process 🧱
* Validate each system component 💡
* Use the same controls for outsourced dev 👨‍💻

📄 Source:
GIAS 2024, Page 92 – Domain V: Performing Internal Audit Services (Introduction)

Describe the types of advisory services performed by the internal audit function

May include but is not limited to:
c. Describe the internal auditor’s role in due diligence services
- Due diligence auditing

Study These Flashcards

📋 Due Diligence Auditing = Evaluates the business justification for major transactions (e.g., mergers, JVs, acquisitions)

👨‍💼 Can be advisory (guidance) or assurance (independent assessment)

🔍 Auditors may review:
* 🛒 Operations (e.g., purchasing, inventory)
* 🖥️ IT controls
* 🏢 Cultural compatibility
* 💵 Financial statements
* ⚖️ Legal compliance
* 🔗 Integration planning

🎯 Goal: Confirm expected benefits (e.g., new markets, IP, skilled staff) and ensure effective implementation ✅

📄 Source:
GIAS 2024, Page 92 – Domain V: Performing Internal Audit Services (Introduction) explicit

Describe the types of advisory services performed by the internal audit function

May include but is not limited to:
d. Describe the internal auditor’s role in maintaining data privacy
- Use of personal information in performing engagements

Study These Flashcards

🤝 Internal auditors help protect personal information by:
* 🔐 protect personally identifiable information (PII) during audit
* ⚖️ Following privacy laws & legal consent requirements
* ❓ Consulting legal counsel b4 audit if questions arise
* 🤐 Maintain confidentiality and ethical use

Principle 5 Maintain Confidentiality, pg. 34-36

# 6 Describe the types of advisory services performed by the internal audit function ## Footnote *May include but is not limited to*: e. Describe the internal auditor’s role in **benchmarking** 1 Introduction 2 Benchmarking 5 phases 3 Types & uses of benchmarks

1 📊 Benchmarking = Comparing your org’s processes, performance, or products against the best in class 🥇 🎯 Purpose: * Improve quality ✔️ * Increase efficiency ⚙️ * Boost customer satisfaction 😊 * Support continuous improvement 🔁 👥 Used in advisory engagements to help mgmt set goals & drive change. 2 1️⃣ To select & prioritize projects🎯 2️⃣ Organizing benchmarking teams 📉 3️⃣ Research & identify best-in class performance 🗣️ 4️⃣ Data analysis 💡 5️⃣ Implementation 📈 3 📊 Types of Benchmarks: 1️⃣ Internal benchmarking – Compare within the org 🏢 🔹 ID strong vs weak units 🔸 Limitation: may miss external improvement opportunities 2️⃣ External (competitive) benchmarking – Compare with competitors 🏆 🔹 Get industry best practices 🔸 May need to buy or anonymize data 3️⃣ Generic benchmarking (under external benchmarking) – Compare with non-competitors across industries 🌐 🔹 Broader collaboration, more data sharing 🤝 4️⃣ Process/Functional benchmarking – Focus on specific functions ⚙️ 🔹 E.g., time to market, production efficiency 5️⃣ Performance benchmarking – Compare outcome metrics 📈 🔹 E.g., sales growth after product launch 6️⃣ Strategic benchmarking – Review business models for long-term planning 🧠 ## Footnote 📌 **Standard 13.4** (Evaluation Criteria) – use benchmarking as criteria → Condensed GIAS, p. 100 📌 **Standard 14.3** (Evaluation of Findings) – assess risk & impact of benchmark gaps → Condensed GIAS, p. 107 📘 **Glossary**: "Advisory services" includes benchmarking → Condensed GIAS, p. 10

# 6 Describe the types of advisory services performed by the internal audit function ## Footnote *May include but is not limited to*: f. Describe the internal auditor’s role in internal control assessments

An internal control assessment = reviewing whether controls are: 🔐 **Well-designed** (preventive & detective) ⚙️ **Working effectively** (actually followed) 💣 Identify gaps or risks in business processes (e.g. finance, HR, IT) Advisory services include: “Advising on the design and implementation of new policies, processes, systems, and products... and facilitating discussions about risks and controls.” 🔎 Why it matters: It explicitly includes control-related advisory work like: * Helping design new internal controls * Supporting control assessments * Facilitating self-assessment workshops 📘**Standard 9.1** Internal auditors must understand how **control processes** are designed, implemented, and operated. 🧠Before advising, they must understand how controls should work. 📘 **Standard 9.2** Internal audit strategy should include ways to** improve risk and control processes.** ✅Auditors may help improve controls as an **advisors**, not taking over operations. 📘 **Standard 13.4** Auditors must use **evaluation criteria** to assess performance. 📊Control frameworks & benchmarks, or best practices = useful tools for control assessments. 📘 **Standard 14.3** Internal auditors must evaluate the **significance & impact** of gaps in controls or risks. 📣They can recommend improvements — but NOT implement them. ## Footnote 🔹 Glossary – “Advisory Services, p.10 🔹 Standard 9.1 – Understanding Governance, Risk Management, and Control Processes, p. 61 🔹 Standard 9.2 – Internal Audit Strategy, p. 63 🔹 Standard 13.4 – Evaluation Criteria, p. 100 🔹 Standard 14.3 – Evaluation of Findings, p. 107

# 6 Describe the types of advisory services performed by the internal audit function ## Footnote *May include but is not limited to*: g. Describe the internal auditor’s role in process mapping - **Business process mapping**

🗺️ Business Process Mapping = Visualizes workflows to improve efficiency by focusing on results over tasks 🎯 🔧 Business process reengineering * Redesigns processes to: 1️⃣ Eliminate useless tasks 2️⃣ Automate 3️⃣ Simplify * Goal = faster, better, leaner operations ⚡ 🚫 Regenerating is not improvement * Rebuilding old systems ≠ actual progress * Only use when absolutely necessary ❗ ✅ Total quality management (TQM) * Continuous quality in all activities * Emphasizes: prevention, teamwork 🤝, training * A strategic advantage that’s hard to copy 📈 🛠️ Reengineering and TQM methods * Reduce rework ♻️ * Remove unneeded steps 🧹 * Improve internal control monitoring 🔍 🕵️ Internal auditors may perform the functions of… * 1️⃣ Verify mgmt support * 2️⃣ Recommend processes to review * 3️⃣ Develop audit plans 🚫 Do NOT implement — that breaks independence 📊 Process Mapping * Flowcharts to: * Understand process links 🔗 * Spot improvements 🧠 * Confirm internal controls ✅ ## Footnote 💻 GIAS Standard 10.3, p. 76

# 7 Identify situations where the independence of the internal audit function may be impaired ## Footnote *May include but is not limited to*: a. Identify situations where the chief audit executive’s functional reporting line is not appropriate

🚫 The CAE’s independence is impaired when they functionally report to **senior management whose areas are subject to audit**, such as: CFO 💸 COO 🏭 Head of Risk or Compliance 🧑‍💼 👉 This creates potential for conflict of interest, bias, and interference 🙅‍♂️ ✅ The CAE should **functionally report to the board or audit committee** 🧑‍⚖️ to protect independence. ## Footnote Standard 7.1 Organizational Independence, page 46

# 7 Identify situations where the independence of the internal audit function may be impaired ## Footnote *May include but is not limited to*: b. Describe the board’s responsibility for protecting internal audit independence

🛡️ The board must **protect internal audit independence** by: ✅ Establishing a **direct reporting line** with the CAE ✅ Approving the **audit charter, plan,** and **CAE’s appointment/removal** ✅ Engaging with senior management to prevent interference 🚫 ✅ Meeting privately with the CAE to discuss sensitive issues 🤐 ## Footnote Standard 7.1 Organizational Independence, Essential Conditions Board, pg. 46

# 7 Identify situations where the independence of the internal audit function may be impaired ## Footnote *May include but is not limited to*: c. Describe the chief audit executive’s responsibility for protecting and maintaining internal audit independence, including communicating to the board when an impairment or perceived impairment is identified

🎯 **Situation**: When **independence of internal audit is impaired** — either **actually** or **perceived** — the **CAE has a duty to act.** 📋 **CAE’s Responsibilities:** 🔎 **Identify** the impairment → Example: CAE also manages risk/compliance = conflict ❌ 📢 **Communicate to the board** → Must **inform promptly** if independence is impaired in **fact or appearance.** → Also inform **senior management** if relevant. 🛡️ **Establish Safeguards** in IA charter. → Examples: * Reassign the audit * Contracting external assurance provider * Establish alternative processess to obtain assurance arrangements 📝**Document all actions** → CAE must **record** the situation, impact, and actions taken. ## Footnote Standard 2.3 Disclosing Impairments to Objectivity, page 24 Standard 7.1 Organizational Independence, page 46

# 7 Identify situations where the independence of the internal audit function may be impaired ## Footnote *May include but is not limited to*: d. Identify situations where budget limitations may restrict internal audit operations

1️⃣💸 Not enough money to hire enough auditors 2️⃣ 🧑‍💻 Can’t buy audit software or tools needed for work 3️⃣ 🚫 No budget to pay for external quality review (peer review) 4️⃣ 🔒 Rules say CAE cannot directly ask board for more money 5️⃣ 🧾 Audit plan cannot be completed because there's not enough money to cover all areas 6️⃣ 📢 CAE must report to board if money problems affect audit independence or work ## Footnote 📚 Based on: GIAS Principle 10, Standard 10.1 – Financial Resource Management, pg. 71

# 7 Identify situations where the independence of the internal audit function may be impaired ## Footnote *May include but is not limited to*: e. Describe the effects of scope limitations or restricted access

1️⃣ 🧱 Auditors cannot review certain areas (e.g. finance, HR, IT) because management blocks them 2️⃣ 🔒 Access to data, documents, or people is denied 3️⃣ ❗ CAE cannot complete the audit plan or give full assurance 4️⃣ 📉 Audit results may be incomplete, unreliable, or biased 5️⃣ 📢 CAE must report limitations to board (Standard 13.3 & 7.1) 6️⃣ ⚠️ Repeated restrictions show that internal audit is not independent ## Footnote 📚 Based on: GIAS Principle 7 & 13, Standards 7.1, 8.1, 13.3

# 8 Recognize the internal audit function's role in the organization's risk management process ## Footnote *May include but is not limited to*: a. Describe The IIA’s Three Lines Model

🟩 Q1: What is The IIA’s Three Lines Model? 🏛️ 🟦 A1: 1️⃣ **First Line**: Owns & manages risk (e.g. operations team) 2️⃣ **Second Line**: Oversees risk (e.g. compliance, risk management) 3️⃣ **Third Line**: Internal audit – provides **independent assurance** 🎯 Ensures clear roles & avoids conflicts of interest 🟩 Q2: Why is Standard 2.2 (Safeguarding Objectivity) linked to the Three Lines Model? 🛡️ 🟦 A2: Internal auditors must avoid conflicts when involved in 1st or 2nd line duties ⚠️ Prior roles in compliance/risk may impair objectivity ✅ Safeguards: reassignment, extra review, disclosure 🟩 Q3: Why is Standard 7.1 (Organizational Independence) linked to the Three Lines Model? 🏗️ 🟦 A3: IA must remain free from interference by 1st/2nd line 🧑‍💼 If CAE has compliance/risk duties, independence is at risk ✅ Must discuss with board, apply safeguards like outsourcing audit 🟩 Q4: Why is Standard 13.3 (Engagement Objectives & Scope) linked to the Three Lines Model? 📋 🟦 A4: IA must identify who owns and who monitors the process 🔍 Helps define scope, avoid auditing own work ⚠️ Prevents overlap with 1st or 2nd line 🟩 Q5: Why is Standard 13.4 (Evaluation Criteria) linked to the Three Lines Model? 🧪 🟦 A5: IA must use fair & relevant criteria when assessing 1st/2nd line ✅ Use SOPs, policies, laws — not personal judgment ⚖️ Ensures objective evaluation of risk/control effectiveness

# 8 Recognize the internal audit function's role in the organization's risk management process ## Footnote *May include but is not limited to*: b. Identify first and second line responsibilities that could impair the independence of the internal audit function

⚠️ Internal audit independence is impaired when it performs: 1️⃣ First Line responsibilities: 🧑‍🏭 Managing operations ➡️ e.g. Approving transactions, issuing invoices, performing daily tasks 2️⃣ Second Line responsibilities: 🧑‍💼 Designing or enforcing risk management & compliance ➡️ e.g. Writing policies, managing compliance programs, owning risk registers ❌ Why it’s a problem: Internal audit would be reviewing its own work — this breaks independence & objectivity 🛡️ Required safeguards (if involved): ✔️ Reassignment or independent review ✔️ CAE must disclose roles to the board ✔️ External audit for conflicted areas ## Footnote 📚 Related Standards: ✅ 2.2 – Objectivity ✅ 7.1 – Organizational Independence ✅ 8.1 – Reporting impairments to the board

# 8 Recognize the internal audit function's role in the organization's risk management process ## Footnote *May include but is not limited to*: c. Describe safeguards to implement when internal auditors conduct or are perceived to be conducting first or second line responsibilities

📘 Global Internal Audit Standards (GIAS) 🔹 Standard 7.1 – Organizational Independence 🗣️ CAE must: – Discuss roles with board/senior mgmt – Disclose potential impairments (real or perceived) – Advise on safeguards 🧾 Must document roles & safeguards in IA Charter 📦 If area still needs auditing → use independent 3rd-party provider ⏳ Cooling-off period: 12 months before IA reassesses that area 🔹 Standard 2.2 – Safeguarding Objectivity 🧠 All internal auditors must: – Recognize & avoid actual, potential, or perceived impairments – Avoid conflicts of interest – Not perform assurance on areas recently advised on 📗 CIA Book Online – SU4 (Advisory Services) 🔐 CAE & team must: ✅ Get board approval before doing advisory services ✏️ Amend the IA Charter to include advisory roles ⚖️ Maintain objectivity – no assumption of management responsibility 👥 Assign different auditors for advisory vs. assurance work 🔁 Bring in independent assurance provider if CAE has non-audit roles ⏳ Wait 12 months before performing assurance on previously advised areas 📣 Disclose any impairment immediately to mgmt

1 Foundations of Internal Auditing (35%) Flashcards

8 areas (35 cards)