Demonstrating due professional care involves assessing the cost of assurance in relation to the potential benefits (Option D). This approach ensures that internal audit resources are used efficiently and effectively, providing value to the organization. According to IIA Standards, Standard 1220: Due Professional Care, internal auditors must consider the extent of work needed to achieve the engagement's objectives and the relative complexity, materiality, or significance of matters to which assurance procedures are applied. Staffing audit engagements with qualified auditors (Option A), relying on prior work (Option B), and guaranteeing identification of all significant risks (Option C) do not fully encapsulate the essence of due professional care, which balances cost and benefit.
IIA Standards, Standard 1220: Due Professional Care
IIA's International Professional Practices Framework (IPPF)
How can an Internal audit activity contribute to Its organization’s risk assessment process?
Assist in reviewing how key risks are reported
Determine the risk appetite based on an independent review
Determine necessary risk responses based on an assessment
Take accountability for risk management
Answer: A
One of the roles of internal audit is to provide assurance on the effectiveness of risk management processes3. Internal audit can contribute to the organization’s risk assessment process by reviewing how key risks are identified, measured, monitored, and reported by the first and second lines of defense4. Internal audit can also provide recommendations for improving the risk reporting process and ensuring that it aligns with the organization’s objectives and risk appetite5.
Some additional information:
The first line of defense is the operational management, who owns and manages the risks. The second line of defense is the risk management and compliance functions, who oversee and support the risk management activities of the first line. The third line of defense is the internal audit function, who provides independent assurance on the effectiveness of risk management and internal control4.
Risk reporting is the process of communicating relevant and timely information about the organization’s risks to the stakeholders, such as the board, senior management, regulators, and external auditors. Risk reporting helps to inform decision-making, enhance accountability, and promote a risk-aware culture.
The organization’s risk appetite is the amount and type of risk that it is willing to accept in pursuit of its objectives. The risk appetite should be defined by the board and communicated to all levels of the organization. The risk appetite should guide the risk assessment, response, and reporting processes.
A senior Internal auditor was hired Into a large Internal audit activity It was agreed upon hiring that the auditor would pursue professional development that would support her ability to take on the role of the head of Internal audit, Which of the following skills best supports this development goal?
Data analysis and mining
Technical and IT skills.
Application of IIA mandatory and supplemental guidance.
Risk management and planning.
Answer: C
One of the essential skills for a head of internal audit is the ability to apply the International Professional Practices Framework (IPPF) issued by the Institute of Internal Auditors (IIA). The IPPF consists of mandatory and supplemental guidance that provides the principles, standards, and best practices for internal audit activities2. A head of internal audit should be familiar with the IPPF and ensure that the internal audit function conforms to its requirements and expectations3. The IPPF also helps the head of internal audit to demonstrate the value and quality of internal audit to the stakeholders, such as the board, senior management, regulators, and external auditors4.
Some additional information:
Data analysis and mining, technical and IT skills, and risk management and planning are also important skills for a head of internal audit, but they are not specific to the role. These skills are relevant for any internal auditor or manager who needs to perform effective and efficient audits, use appropriate tools and techniques, and assess and mitigate risks5.
The mandatory guidance of the IPPF includes the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the International Standards for the Professional Practice of Internal Auditing (Standards), and the Definition of Internal Auditing2.
The supplemental guidance of the IPPF includes Implementation Guidance, Supplemental Guidance, and Practice Advisories that provide detailed guidance on how to apply the Standards in various situations and contexts2.
Which of the following would be Included in ongoing monitoring of the performance of the internal audit activity?
Acquiring feedback from audit clients and other stakeholders.
Having senior auditors conducting an annual self-assessment
Benchmarking against best practices in internal auditing.
Performing an external assessment once every five years.
Answer: A
Ongoing monitoring is a continuous process of evaluating the performance and quality of the internal audit activity2. It includes regular management and supervisory activities, such as reviewing audit reports, tracking audit recommendations, and measuring key performance indicators3. One of the ways to monitor the performance of the internal audit activity is to acquire feedback from audit clients and other stakeholders, such as the board, senior management, regulators, and external auditors4. Feedback can help to assess the value, effectiveness, and satisfaction of the internal audit services5.
[References:, 1: Checklist for Addressing Ongoing Monitoring and Auditing 2: Internal Controls | Controller’s Office 3: Performance Standards - The Institute of Internal Auditors or The IIA 4: Chapter 7 Audit Flashcards | Quizlet 5: Applying the International Professional Practices Framework, 4th edition, by Urton Anderson and Andrew J. Dahle (2018), p. 113, , , , , An Internal auditor noted that many amended purchase orders were automatically created for discrepancies between the value of the original purchase order and the final invoice. , Further examination revealed that most differences resulted from rounding errors bulk weights or minor tariff adjustments for shipping. Which of the followtng IS the most reasonable conclusion for the Internal auditor regarding this control? , , The control IS effective but inefficient , The control IS ineffective but efficient. , The control IS both Ineffective and Inefficient , The control is both effective and efficient, , Answer: A, A control is effective when it achieves its intended objective, such as preventing or detecting errors or fraud. A control is efficient when it minimizes the cost and effort required to achieve its objective2. In this case, the control of automatically creating amended purchase orders is effective because it ensures that the discrepancies between the original purchase order and the final invoice are resolved. However, the control is inefficient because it generates too many amended purchase orders for minor differences that may not be material or significant. This may result in unnecessary administrative burden, delays, and waste of resources3. A more efficient control would be to set a threshold or tolerance level for the discrepancies and only create amended purchase orders when the difference exceeds that level4., , , , , Internal audit requests access to write and export specialized reports from the organization's database to aid with testing and analysis. Management authorizes internal audit only to view production reports that are built into the system. How can the chief audit executive create buy-in with management and attain the access required for the engagement?, By sending the internal audit charter to the general manager to show that the requested level of access is approved by the charter., By sending a staff auditor with at least two years experience in the field to explain the importance of the internal audit function and the reasons why the requested level of access is necessary, By explaining to the general manager that internal audit's work program requires the reports that can only be gathered from the system's report writer., By meeting with the general manager to discuss the planned control testing and the risks that can be identified from utilizing the specialized reports., , Answer: D, One of the key skills for a chief audit executive (CAE) is the ability to create buy-in with management and other stakeholders for the internal audit function2. Buy-in means that management understands and supports the value and role of internal audit, and provides the necessary resources and access for internal audit to perform its work effectively3. To create buy-in, the CAE should communicate clearly and persuasively the objectives, scope, and benefits of the internal audit engagements, and how they align with the organization’s goals and risks4. The CAE should also demonstrate the professionalism, competence, and independence of the internal audit team, and foster a collaborative and trusting relationship with management5., In this case, the CAE should meet with the general manager to explain why access to write and export specialized reports from the organization’s database is required for the engagement. The CAE should show how these reports will help to test and analyze the controls and processes that are relevant to the organization’s risks and objectives. The CAE should also highlight the potential issues or opportunities that can be identified from using these reports, and how they can help to improve the organization’s performance and governance. The CAE should also address any concerns or objections that the general manager may have, such as data security, confidentiality, or system integrity, and assure that internal audit will follow the appropriate standards and protocols when accessing and using the data., The other options are not likely to create buy-in with management. Sending the internal audit charter or a staff auditor may not be sufficient or persuasive enough to convince the general manager of the need for access. Explaining that internal audit’s work program requires the reports may not explain how they are relevant or beneficial to the organization. These options may also appear as confrontational or demanding, rather than collaborative or consultative, which may damage the relationship between internal audit and management., , , , The audit committee chair requested that the chief audit executive include in his annual report to the audit committee information related to how the internal audit activity meets its requirement for due professional care. Which of the following statements would be appropriate to include in the report?, During engagements, the identified risks were appropriately addressed with necessary audit procedures to ensure that any risk that threatened the company's objectives was adequately mitigated, regardless of cost., Due professional care was exercised during the conduct of each engagement so that all risks were identified and ranked, and assurance procedures were designed to address each risk accordingly., To meet its mission of enhancing and protecting organizational value and to demonstrate appropriate support for management, the internal audit activity planned to accept all proposed management consulting engagements., During engagements, internal auditors considered various data analysis techniques and relevant technology-based audit procedures, and used these techniques and procedures when applicable., Answer: B, Due professional care is the care and skill expected of a reasonably prudent and competent internal auditor2. It requires internal auditors to follow the International Professional Practices Framework (IPPF) issued by the Institute of Internal Auditors (IIA), which includes the Code of Ethics and the Standards3. One of the aspects of due professional care is to perform risk-based audits, which means identifying and assessing the risks that may affect the organization’s objectives, and designing and executing audit procedures that provide reasonable assurance on the effectiveness of risk management and internal control4. Therefore, option B is an appropriate statement to include in the report to demonstrate how the internal audit activity meets its requirement for due professional care., References:, 1: Standard 1220 – Due Professional Care 2: Due professional care definition 3: What is due professional care in internal audit? 4: Standard 1220 – Due Professional Care - The Institute of Internal Auditors or The IIA, , , , According to IIA guidance, who is ultimately responsible for the enhancement of the internal auditor's knowledge, skills, and other competencies?, The officer in charge of human resources., The chief audit executive., The internal auditor., The CEO., Answer: C, According to the IIA’s Code of Ethics, internal auditors are responsible for maintaining their knowledge, skills, and other competencies at a level required to perform their professional responsibilities2. Internal auditors should also pursue relevant professional development opportunities to enhance their ability to add value to the organization3. Therefore, option C is the correct answer., The other options are not correct. The officer in charge of human resources, the chief audit executive, and the CEO may support or facilitate the internal auditor’s professional development, but they are not ultimately responsible for it4. The internal auditor has the primary accountability and obligation to maintain and improve their own competencies5., , , , , Instead of leaving its capital in a bank account with a low guaranteed interest rate, an organization's board approved a proposal to invest in a stock that could have a high expected return rate without taking any risk mitigation activities. Which risk concept does this decision illustrate?, Risk appetite., Risk capacity., Risk tolerance., Risk retention., Answer: A, Risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives2. It reflects the organization’s risk culture and strategy, and guides the risk assessment, response, and reporting processes3. In this case, the decision to invest in a stock that could have a high expected return rate without taking any risk mitigation activities illustrates a high risk appetite, as the organization is willing to accept a high level of uncertainty and volatility for a potential reward4., References:, 1: Risk Resources in Internal Audit | The IIA 2: Risk-based internal audit - Wikipedia 3: What is Risk Management in Internal Audit - ESG | The Report 4: Internal Audit 1 January 13, 2012 - vsu.edu, , , , Which of the following statements describes the activities performed by the internal audit activity to fulfill the Mission of Internal Audit?, Conduct reviews of internal risk and controls., Conduct fraud investigations on suspicious deals., Perform risk management functions in selected areas., Establish the risk appetite of the organization., Answer: A, The Mission of Internal Audit is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight2. One of the activities that the internal audit activity performs to fulfill this mission is to conduct reviews of internal risk and controls, which means evaluating and improving the effectiveness of risk management, control, and governance processes in the organization3. This helps the organization to achieve its objectives and mitigate its risks., References:, 1: CIA Exam Practice Questions - Certified Internal Auditor® 2019 2: Mission of Internal Audit 3: About Internal Audit : What is Risk Management in Internal Audit - ESG | The Report, , , , Which of the following preventive controls would be most effective for organizations facing business disruptions and respective financial losses?, Develop a business continuity plan for contingent situations., Insure the organization against financial losses., Rely on third-party cloud solution providers for the organization's systems., Hedge company assets via purchasing derivatives., Answer: A, A business continuity plan (BCP) is a preventive control that aims to ensure the continuity of critical business functions and processes in the event of a disruption or disaster2. A BCP identifies the potential risks and impacts that could affect the organization, and outlines the strategies and actions to mitigate them and resume normal operations as soon as possible3. A BCP can help organizations to reduce the financial losses and reputational damages caused by business interruptions, and enhance their resilience and preparedness4., References:, 1: Business continuity: Managing disaster and disruption2 2: Preventive controls5 3: 25 Key Financial Controls for Small Businesses3 4: 5 Steps To Protect Your Business From Supply Chain Disruptions4, , , , , Which aspect of an internal audit charter relates to the reporting structure for the internal audit activity?, Objectivity., Responsibility., Organization., Authority., , Answer: C, The organization aspect of an internal audit charter relates to the reporting structure for the internal audit activity. It establishes the position of the internal audit activity within the organization, and defines its functional and administrative reporting lines2. The organization aspect also ensures that the internal audit activity has sufficient independence and authority to perform its work effectively and objectively3., References:, 1: Internal Audit Charter [A Complete Guide + Template] - ModelOrganization2 2: The Internal Audit Charter IIA POSITION PAPER The Internal Audit Charter Blueprint to Assurance Success Introduction One of the great challenges every organization faces is assuring efficient and effective risk management ― those policies and processes designed to leverage or mitigate risks to the organization’s advantage. When done well, internal audit provides that assurance as part of its role to protect and enhance organizational value. For internal audit to operate at the highest levels, it must have clearly defined and articulated marching orders from the governing body and management. This is most easily achieved with a well-designed internal audit charter. The IIA’s Perspective Every organization can benefit from internal audit, and an internal audit charter is vital to success of the activity (IIA Standard 1000). The charter is a formal document approved by the governing body and/or audit committee (governing body) and agreed to by management. It must define, at minimum: Internal audit’s purpose within the organization. Internal audit’s authority. Internal audit’s responsibility. Internal audit’s position within the organization. The IIA has produced model charters available to IIA members here in eight languages. Why the Internal Audit Charter Is Important The charter provides the organization a blueprint for how internal audit will operate and helps the governing body to clearly signal the value it places on internal audit’s independence. Ideally it establishes reporting lines for the chief audit executive (CAE) that support that independence by reporting functionally to the governing body (or those charged with governance) and administratively to executive management. It also provides the activity the needed authority to achieve its tasks, e.g., unfettered access to records, personnel, and physical properties relevant to performing its work. KEY TAKEAWAYS The internal audit charter is vital to internal audit’s success and should be reviewed annually by the governing body. The internal audit charter should be approved by the governing body and agreed to by senior management. The charter should at a minimum include internal audit’s purpose and mission, authority, responsibility, its independent reporting relationships, scope and requirement to conform to IIA Standards. The internal audit charter should include details of how the internal audit activity will assess and report on the quality of the internal audit activity.1 3: Charter | Internal Audit4, , , , , During an audit of the procurement department, the internal auditor interviewed the department manager to ask questions about the purchasing process. There have been a number of employee complaints, tips, and reports regarding the purchasing process via the organization's whistleblower hotline. Which of the following phrases from the interviewee is most likely to raise concerns regarding potential control deficiencies or fraud risks?, "The process works the way it is mandated to work.", "I never did it this way.", "I cannot take more than a few days of vacation, as nobody else can perform my duties.", "There are policies or procedures for this process.", Answer: C, This phrase from the interviewee is most likely to raise concerns regarding potential control deficiencies or fraud risks, because it indicates a lack of segregation of duties and proper backup arrangements in the purchasing process2. Segregation of duties is a key internal control that prevents or detects errors or fraud by ensuring that no single person has complete control over a transaction or activity3. Proper backup arrangements are also important to ensure that the purchasing process can continue smoothly and effectively in the absence of the department manager4. If the department manager cannot take more than a few days of vacation, it may suggest that he or she is trying to conceal some irregularities or misconduct in the purchasing process, or that there is no adequate supervision or review of his or her work5., References:, 1: Internal Audit Interview Questions & Answers - Wisdom Jobs 2: Segregation of Duties: A Key Internal Control - The CPA Journal 3: Segregation of Duties - The Institute of Internal Auditors or The IIA 4: Backup Arrangements - The Institute of Internal Auditors or The IIA 5: Fraud Prevention Checklist - The Institute of Internal Auditors or The IIA, , , , , A chief audit executive (CAE) is currently employed at a commercial bank where she was previously the chief compliance officer over three years ago. The current chief compliance officer abruptly resigned prior to the start of a mandatory anti-money laundering compliance audit. The board is contemplating a number of alternatives regarding the vacant post, bearing in mind that the bank has been struggling financially and is looking to contain costs. Which of the following alternatives, if taken by the board, would be most appropriate to satisfy the bank's objectives as well as preserve the internal audit activity's independence?, Extend the CAE's responsibility to cover the compliance function and postpone the scheduled compliance audit to next year., Recruit a new chief compliance officer to fill the vacancy and have the CAE direct the new individual in the compliance officer role., Assign responsibility for the compliance function to the CAE and have an external auditor perform the scheduled compliance audit., Appoint the current CAE to head of the compliance function. No further action is required since the CAE was employed in the compliance function more than a year ago., Answer: B, The internal audit activity must be independent, and internal auditors must be objective in performing their work2. This means that they should not have any conflicts of interest or undue influence that could impair their judgment or credibility3. Therefore, the CAE should not assume any management responsibilities or roles that could compromise their independence or objectivity, such as the chief compliance officer4. Option B is the most appropriate alternative, as it preserves the separation of duties and accountability between the internal audit and compliance functions, while allowing the CAE to provide some guidance and oversight to the new chief compliance officer5., The other options are not appropriate, as they would create potential impairments to the internal audit activity’s independence or objectivity. Option A would create a self-review threat, as the CAE would have to audit their own work in the compliance function. Option C would create a familiarity threat, as the CAE would have a close relationship with the external auditor who would audit their work in the compliance function. Option D would create a role conflict, as the CAE would have to balance the conflicting objectives and expectations of the internal audit and compliance functions., , , Which of the following statements is true regarding risk management frameworks?, The organization should ensure that it uses a universally-accepted risk management framework., The organization should ensure that its risk management framework is designed specifically to meet the needs of its operations., The organization should ensure that the board is responsible for implementing the risk management framework., The organization should ensure that the risk management framework has been validated by the internal audit activity for implementation., Answer: B, A risk management framework is a system for identifying, evaluating and prioritising risks and minimising their impact. The primary goal of a risk management framework is to preserve a company’s capital and earnings while allowing it to develop2. There is no one-size-fits-all approach to risk management, as different organizations face different types and levels of risks depending on their industry, size, culture, objectives, and strategies3. Therefore, the organization should ensure that its risk management framework is tailored to its specific needs and circumstances, and reflects its risk appetite and tolerance., References:, 1: Risk Management Framework (RMF) Definition - Investopedia 2: A Guide to the Risk Management Framework (With Examples) 3: What Is A Risk Management Framework (RMF)? 2023 Guide - SelectHub : Risk Resources in Internal Audit | The IIA, , , , Which of the following statements is true regarding a small internal audit activity with limited resources demonstrating due professional care?, Conformance with the standard for due professional care is not relevant for small audit internal activities., The internal audit activity may conduct internal quality assessments multiple times per year due to the size., The internal audit activity may use a risk-based audit approach to ensure adequate focus., The internal audit team may guide and supervise nonaudit employees with relevant knowledge to assist in performing engagements., Answer: C, , Due professional care is the care and skill expected of a reasonably prudent and competent internal auditor2. It requires internal auditors to follow the International Professional Practices Framework (IPPF) issued by the Institute of Internal Auditors (IIA), which includes the Code of Ethics and the Standards3. One of the aspects of due professional care is to perform risk-based audits, which means identifying and assessing the risks that may affect the organization’s objectives, and designing and executing audit procedures that provide reasonable assurance on the effectiveness of risk management and internal control4. Therefore, option C is an appropriate statement to demonstrate how a small internal audit activity with limited resources can demonstrate due professional care by ensuring adequate focus on the most significant risks and areas., References:, 1: CIA Exam Practice Questions - Certified Internal Auditor® 2019 2: Due professional care definition 3: What is due professional care in internal audit? 4: Standard 1220 – Due Professional Care - The Institute of Internal Auditors or The IIA, , , Which of the following scenarios most likely indicates that the organization is not managing risks effectively?, Securities market oversight authorities fined the organization for not disclosing significant transactions with a related party., A construction project is significantly delayed due to an unexpected global pandemic., Senior management terminated contracts with certain solar panel manufacturers due to potential allegations of child labor usage., A local community filed a lawsuit against a wind farm developer even though the developer complied with all legal requirements., Answer: A, A. Securities market oversight authorities fined the organization for not disclosing significant transactions with a related party1, Just Short Explanation: Risk management is the process of identifying, assessing, and responding to the uncertainties that may affect the organization’s objectives2. Effective risk management means attempting to control, as much as possible, future outcomes by acting proactively rather than reactively3. Therefore, effective risk management offers the potential to reduce both the possibility of a risk occurring and its potential impact., Option A is the most likely scenario that indicates that the organization is not managing risks effectively, because it shows that the organization failed to comply with the disclosure requirements and exposed itself to regulatory fines and reputational damages4. This could have been avoided or mitigated if the organization had implemented a robust risk management framework that included policies, procedures, controls, and reporting mechanisms to ensure transparency and accountability in its transactions., The other options are less likely to indicate ineffective risk management, as they involve external factors that are beyond the organization’s control or influence. Option B involves an unexpected global pandemic, which is a rare and unpredictable event that could cause significant disruptions to any organization. Option C involves potential allegations of child labor usage by third-party suppliers, which is a reputational risk that the organization tried to address by terminating the contracts. Option D involves a lawsuit by a local community against a wind farm developer, which is a legal risk that the developer tried to prevent by complying with all legal requirements. These scenarios may still pose challenges or losses for the organization, but they do not necessarily reflect poor risk management practices., , , , Which of the following actions by an organization's board would potentially impair the internal audit activity's independence?, Approving the appointment and compensation package of the chief audit executive (CAE)., Requiring that reports from the CAE are reviewed and approved first by senior management., Approving the internal audit activity's resources and audit plans annually., Asking senior management and the CAE about the scope of the annual internal audit plan., Answer: B, This action by the organization’s board would potentially impair the internal audit activity’s independence, because it would create a reporting threat that could undermine the CAE’s ability to communicate the results of internal audit engagements objectively and directly to the board or the audit committee2. The CAE should have unrestricted access to the board or the audit committee, and should not be subject to any undue influence or interference from senior management in reporting the internal audit findings, opinions, and recommendations3., References:, 1: Standard 1110 – Organizational Independence - The Institute of Internal Auditors or The IIA 2: Independence and Objectivity - The Institute of Internal Auditors or The IIA 3: Position paper: Independence and objectivity | Delivering internal audit | Resources | IIA, , , , An internal auditor is assigned to an assurance engagement. The auditor's aunt has been working in management of the area under review for a considerable amount of time. Which of the following would best assist the internal auditor in this situation?, The internal audit charter., The whistleblowing policy., The audit committee charter., The conflict of interest policy., Answer: D, A conflict of interest is a situation where an internal auditor’s personal or professional interests may compromise their objectivity, integrity, or ability to perform their work effectively2. An internal auditor should avoid any conflicts of interest or disclose them to the appropriate parties if they cannot be avoided3. A conflict of interest policy is a document that defines what constitutes a conflict of interest, how to identify and report it, and how to manage or resolve it4. Therefore, option D is the best answer, as it would assist the internal auditor in this situation by providing clear guidance and expectations on how to handle the potential conflict of interest arising from their aunt’s involvement in the area under review., References:, 1: How to avoid conflict of interest with auditors | Smolin Lupin3 2: Auditing, Conflict of Interest, and Credibility: Conducting a …5 3: Independence and Objectivity - The Institute of Internal Auditors or The IIA2 4: Conflict of Interest – Internal Audit and Security Staff4, , , , The internal audit activity plans to audit a supplier quality management process within the supply chain function. In what way is this assurance engagement similar to a typical consulting engagement?, For both types of engagements, internal auditors are solely responsible for deciding the goals and objectives., For both types of engagements, internal auditors must obtain requisite skillsets for the areas where their team lacks competencies., For both types of engagements, internal auditors should not be involved in the engagement if they previously managed the supply chain function., For both types of engagements, internal auditors are prohibited from undertaking operational responsibilities., Answer: B, Internal auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities and the internal audit activity’s plan2. This applies to both assurance and consulting engagements, as they both require internal auditors to provide risk-based and objective assurance, advice, and insight to the organization3. If the internal audit team lacks the necessary competencies for a specific engagement, they should obtain them through training, coaching, or external assistance4., References:, 1: CIA Exam Practice Questions - Certified Internal Auditor® 2019 2: Standard 1210 – Proficiency - The Institute of Internal Auditors or The IIA 3: Mission of Internal Audit 4: Standard 1210.A3 - The Institute of Internal Auditors or The IIA, , , Which of the following is a true statement regarding environmental, social, and governance (ESG) and corporate social responsibility (CSR)?, Sustainability disclosure is evolving around the world., Having a CSR program also means decreased revenue and increased costs., Organizations with ESG programs have lower performance due to the necessity to focus on sustainability as well., Sustainability reporting focuses solely on the environmental and social performance of an organization's activities., Answer: A, ESG and CSR are both related to how a company manages its impact on society and the environment, but they are not the same. CSR is a voluntary business model that reflects a company’s commitment to positive social and environmental outcomes. ESG is a set of criteria that investors use to measure and evaluate a company’s sustainability practices and performance2. Sustainability disclosure is the process of reporting on the ESG and CSR aspects of a company’s activities to the stakeholders, such as the board, senior management, regulators, customers, and the public3. Sustainability disclosure is evolving around the world, as more companies adopt ESG and CSR frameworks and standards, and more stakeholders demand greater transparency and accountability on sustainability issues4., References:, 1: 3 paradigm shifts in corporate sustainability to new era of ESG 2: What is the difference between CSR and ESG? 3: Environment, Social and Governance (ESG) 4: ESG vs. CSR: Key Differences & What Businesses Need to Know, , , , , , Which of the following constitutes an example of a control designed to prevent an undesired activity from happening?, Physical inventory counts., Reconciliation of accounts., Segregation of personnel duties., Confirmation of sales by third parties., Answer: C, Segregation of personnel duties is a control that is designed to prevent an undesired activity from happening, such as errors, fraud, or misuse of resources. It means dividing the tasks and responsibilities related to a process or activity among different people, so that no one person has complete control over it2. This reduces the opportunity and incentive for anyone to manipulate or falsify the data or transactions, and increases the chances of detection if they do3., References:, 1: Preventive Controls: What Are They & Why Are They Important?3 2: Segregation of Duties - The Institute of Internal Auditors or The IIA 3: Segregation of Duties - Wikipedia, , , , Which of the following engagement areas would allow the internal audit activity to assess organizational governance?, Accounts payable., Quality control., Ethics activities., Regulatory compliance., Answer: C, Organizational governance is the combination of processes and structures that help the organization achieve its objectives2. Ethics activities are part of organizational governance, as they reflect the organization’s values, culture, and ethical standards3. Internal audit can assess the ethics activities by evaluating the design and effectiveness of the ethics program, policies, and procedures, and providing assurance and advice on how to improve them4., References:, 1: CIA Exam Practice Questions - Certified Internal Auditor® 2019 2: IIA Audit Tool - The Institute of Internal Auditors or The IIA1 3: Internal Audit Governance: Effective Governance through Internal Auditing 4: Corporate Governance & Internal Audit | Ideagen, , , , Which of the following would the internal audit activity do first if fraud is suspected during an audit engagement?, Interview the employees who may be implicated in the fraud., Advise management regarding the event and provide recommendations., Expand audit testing to determine whether fraud actually occurred., Determine the potential impact on the organization., , Answer: C, If fraud is suspected during an audit engagement, the internal audit activity should first expand audit testing to gather sufficient and appropriate evidence to confirm or dispel the suspicion2. This may involve applying additional or alternative audit procedures, such as data analysis, interviews, observations, or confirmations3. The internal audit activity should also document the results of the expanded audit testing and communicate them to the appropriate parties in accordance with the organization’s policies and procedures4., References:, 1: CIA Exam Practice Questions - Certified Internal Auditor® 2019 2: Fraud and Internal Audit | Grant Thornton5 3: FRAUD AND INTERNAL AUDIT IIA POSITION PAPER FRAUD AND INTERNAL AUDIT Assurance Over Fraud Controls Fundamental to Success Introduction Every year billions of dollars are lost to fraud and corruption resulting in inefficiencies, aborted projects, financial challenges, organizational failure, and, in extreme cases, humanitarian disaster. Often fraud occurs because of poorly designed controls and weak governance undermining the organization’s processes. Organizations should have robust internal control procedures to limit the risk of fraud, and internal audit’s role is to assess these controls. Fundamental Fraud Facts Fraud can be defined as any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage. Fraud is not unique to any organization type. It occurs in public and privately owned businesses, not-for-profit, in organizations that seek to contribute to economic and social well-being, such as government departments, financial institutions, and public and private utilities (water, electricity, education, health care, etc.). In short, the opportunity to commit fraud exists everywhere. How organizations deal with the risk of fraud may be influenced by legal jurisdiction and the organization’s own risk assessment and appetite. Fraud can often lead to litigation, dismissal, and recovery of assets. It is essential, therefore, that any investigation is undertaken by suitably qualified individuals to reduce the risk of compromising evidence, accusing wrongfully, or undermining prospective legal actions. Consistent with The IIA’s International Standards for the Professional Practice of Internal Auditing on proficiency (1210.A2), internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization. KEY TAKEAWAYS Organizations should have robust internal control procedures to limit the risk of fraud, and internal audit’s role is to assess these controls. The organization should have a suitable fraud prevention and response plan in place allowing effective limitation and swift response to the identification of fraud and management of the situation. This should include digital data. The chief audit executive should consider how the risk of fraud is managed across the organization and assess the fraud risk exposure periodically. The risk of fraud should be included in the audit plan and each audit assignment to evaluate the adequacy of anti-fraud controls. Internal auditors should not investigate fraud unless they have the specific experience and expertise required to do so. The IIA’s Perspective Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. Its role includes detecting, preventing, and monitoring fraud risks and addressing those risks in audits and investigations.1, p. 4 4: Standard 2400 – Communicating Results - The Institute of Internal Auditors or The IIA, , , Which of the following is an example of computer forensic auditing?, Testing compliance with policies that define acceptable computer use., Assessing controls over allocation of IT assets in a specific location., Recovering deleted communications and emails., Logging targeted cybersecurity events on the organization's network., Answer: C, Computer forensic auditing is the process of collecting and analyzing digital evidence from electronic devices, such as computers, mobile phones, or tablets2. The purpose of computer forensic auditing is to investigate and resolve cases involving cybercrime, fraud, or other illegal or unethical activities3. One of the examples of computer forensic auditing is recovering deleted communications and emails, which can help to reveal the identity, motive, or modus operandi of the perpetrators or suspects4., References:, 1: Forensic Audit Guide - Definition, Steps, Reasons3, p. 2 2: What Is Computer Forensics? Types, Techniques, and Careers2, p. 1 3: What Is a Forensic Audit, How Does It Work, and What Prompts It?5, p. 1 4: IT Audit & Digital Forensics: How to use an IT audit to prepare for a computer forensics investigation6, p. 1, , , , An internal auditor failed to identify transactions between the parent organization and a subsidiary. What is the most likely reason for the failure?, The auditor misunderstood the audit objectives., The auditor lacked professional skepticism., The auditor's fieldwork was not properly supervised., The auditor lacked an understanding of the organization., Answer: D, One of the possible reasons for the failure to identify transactions between the parent organization and a subsidiary is that the auditor did not have sufficient knowledge of the group structure, the consolidation process, and the related party disclosure requirements2. The auditor should obtain an understanding of the entity and its environment, including its internal control, as part of the risk assessment procedures3. This would help the auditor to identify and assess the risks of material misstatement due to related party transactions, and design and perform appropriate audit procedures to address those risks4., References:, 1: IAS 24 — Related Party Disclosures5, p. 1 2: Group audit issues | P7 Advanced Audit and Assurance | ACCA …2, p. 1 3: INTERNATIONAL STANDARD ON AUDITING 315 (REVISED) IDENTIFYING AND … - IFAC1, p. 1 4: ISA 550 Related Parties - IAASB, p. 1, , , , An engagement supervisor is overseeing a procurement assurance engagement. In the middle of the engagement, the engagement supervisor attends a weekend social event paid for, by the head of procurement. Which of the following ethics principles is the engagement supervisor potentially violating by attending the event?, Confidentiality., Integrity., Objectivity., Competency., Answer: C, , Objectivity is one of the ethics principles for internal auditors, which means that they should not allow bias, conflict of interest, or undue influence to impair their professional judgment2. By attending a weekend social event paid for by the head of procurement, the engagement supervisor is potentially violating this principle, as it may create a personal or professional relationship that could compromise their objectivity in the procurement assurance engagement3., References:, 1: CIA Exam Practice Questions - Certified Internal Auditor® 2019 2: Global Internal Auditing Code of Ethics | The IIA1, p. 1 3: Code of Ethics - The Institute of Internal Auditors or The IIA2, p. 1, , , , , ]
